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UNITED STATES DISTRICT COURT 


EASTERN DISTRICT OF CALIFORNIA 


Ryan Dellone , CASE NO: 1:23-—CV-01408-ADA-HBK 
VS. SUMMONS IN A CIVIL CASE 


Coinbase, Inc. , et al. , 


TO: 2.05698427 Bitcoins, Coinbase Global, Inc., 
Coinbase, Inc. 


Defendant's Address: 


YOU ARE HEREBY SUMMONED and required to serve on: 


Ethan Mora 

The Law Office of Ethan Mora 
1040 E. Herndon Ave., Ste 103 
Fresno, CA 93720 


an answer to the complaint which is served on you with this summons, within 21 days after 

service of this summons on you, exclusive of the day of service. If you fail to do so, judgment by 
default will be taken against you for the relief demanded in the complaint. Any answer that you serve 
on the parties to this action must be filed with the Clerk of this Court within a reasonable period 

of time after service. 


KEITH HOLLAND 
CLERK 


/s/ J. Xiong 
(By) DEPUTY CLERK 


ISSUED ON 2023-09-27 10:34:10 
CLERK, USDC EDCA 


RETURN OF SERVICE 


oe : DATE 
Service of the Summons and complaint was made by me (1) 


NAME OF SERVER (PRINT) TITLE 


Check one box below to indicate appropriate method of service 


Served personally upon the defendant. Place where served: 


Left copies thereof at the defendant's dwelling house or usual place of bode with a person of suitable age and 
discretion then residing therein. 


— Name of person with whom the summons and complaint were left: 


Returned unexecuted: 


Other (specify) : 


STATEMENT OF SERVICE FEES 


TRAVEL SERVICES 


DECLARATION OF SERVER 


I declare under penalty of perjury under the laws of the United States of America that the foregoing information 
contained in the Return of Service and Statement of Service Fees is true and correct. 


Executed on 


Signature of Server 


Address of Server 
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The Law Office of Ethan Mora 
Ethan E. Mora (SBN 317937) 
1040 E. Herndon Ave., Suite 105 
Fresno, CA 93720 

Telephone: (559) 370-1485 


Attorney for Plaintiff RYAN DELLONE 


THE UNITED STATES DISTRICT COURT 
FOR THE EASTERN DISTRICT OF CALIFORNIA 


RYAN DELLONE, an individual, Case no. 
Plaintiff, COMPLAINT 
Vv 1. VIOLATION OF EFTA — 15 U.S.C. §§1693, 
; ET. SEQ. 
COINBASE, INC., COINBASE GLOBAL, 2. VIOLATION OF CFAA - 18 U.S.C. § 1030, 
INC., and DOES 1-50; and 2.05698427 ET. SEQ. 
BITCOINS and various other digital currencies, 3. VIOLATION OF CCPA — CAL. CIV. CODE 
§§ 1798.100, ET SEQ. 
etendanie: 4. VIOLATION OF SHINE THE LIGHT LAW 
— CAL. CIV. CODE §§ 1798.83, ET SEQ. 
VIOLATION OF CAL. PEN. CODE §496 


> 

6. CONVERSION (DOES 1-50) 

7. TRESPASS TO CHATTELS (DOES 1-50) 

8. TRESPASS TO CHATTELS (COINBASE) 

9. NEGLIGENCE 

10. BREACH OF IMPLIED CONTRACT 

11. BREACH OF GOOD FAITH AND FAIR 
DEALING 

12. INTENTIONAL MISREPRESENTATION 

13. GROSS NEGLIGENCE 

14. VIOLATION OF CLRA — CAL. CIV.CODE 
§§ 1770, ET SEQ. 

15. VIOLATION OF CAL. BUS. & PROF. 
CODE § 17200 - UNFAIRNESS PRONG 

16. VIOLATION OF CAL. BUS. & PROF. 
CODE § 17200 - UNLAWFUL PRONG 

17. UNJUST ENRICHMENT 

18. DECLARATORY JUDGMENT 

19. CONSTRUCTIVE TRUST 

20. REPLEVIN / DETINUE 


DEMAND FOR JURY TRIAL 


COMPLAINT 


THE LAW OFFICE OF ETHAN MORA 


1040 E. HERNDON AVE., SUITE 105 


FRESNO, CA 93720 


559-981-2588 
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INTRODUCTION 
1. This action arises out of: (i) material misrepresentations made by Coinbase and its 
employees concerning Coinbase’s security, user-authentication practices, and its intention and 
ability to perform the duties it owed Plaintiff; (ii) Defendants’ unlawful interferences with 
Plaintiff's personal property and privacy rights; (iii) Coinbase’s egregious mishandling of Mr. 
Dellone’s sensitive, personal, confidential, and financial information; and (iv) Coinbase’s 
persistent failure to implement appropriate security and customer support measures reasonably 
designed to detect, prevent, and address fraud and unauthorized electronic fund transfers 
affecting retail consumer financial accounts hosted on the Coinbase Platform. 
2. Defendant Coinbase is a publicly-traded financial institution that operates the largest 
online cryptocurrency exchange platform in the United States (the Coinbase “Platform’’). 
Coinbase’s users (or customers) can use the Coinbase Platform and Coinbase’s other products 
and services to transact in over 100 unique digital assets, including cryptocurrencies like Bitcoin, 
as well as virtual “tokens,” and U.S. dollar-denominated financial instruments like “USD Coin.” 
3. Coinbase’s primary source of revenue is “transaction revenue,” which Coinbase 
generates from transaction fees Coinbase charges to facilitate transactions on its Platform. 
4. Plaintiff Ryan Dellone opened an online account with Coinbase (his Coinbase account) 
in October 2013. Mr. Dellone used his Coinbase account to store and transact using various 
digital assets offered to him by Coinbase on the Coinbase Platform. 
5. In his first eight years as a Coinbase customer, Mr. Dellone’s Coinbase account had never 
been breached. That changed just eight months after Coinbase turned public. 
6. On December 14, 2021, while Mr. Dellone was sleeping, DOES 1-50 (cyber-criminals; 
scammers, hackers, and other presently unnamed tortfeasors) breached Mr. Dellone’s Coinbase 
account and, within minutes, initiated over twenty highly-suspicious transactions, all in rapid 
succession. Coinbase promptly facilitated each and every one of these transactions, which 
essentially liquidated, or consolidated into Bitcoin, nearly all of the unique digital assets Mr. 
Dellone had spent the better part of a decade acquiring. 


qs After Mr. Dellone’s assets had been fraudulently consolidated, Coinbase irreversibly 
1 


COMPLAINT 


THE LAW OFFICE OF ETHAN MORA 


1040 E. HERNDON AVE., SUITE 202 


FRESNO, CA 93720 


Oo = 


Nn 


Case 1:23-cv-01408-ADA-HBK Document1 Filed 09/26/23 Page 3 of 87 


transferred ostensibly the entire balance of Mr. Dellone’s Coinbase account—which, at that 
point, was in the form of more than 2.05 Bitcoin—directly to DOES 1-50, without Mr. Dellone’s 
knowledge, consent, or permission, and through no fault of his own, all in a single, near- 
instantaneous, peer-to-peer electronic fund transfer worth approximately $100,000 at the time. 
8. In addition, Defendants (Coinbase and DOES 1-50) used Mr. Dellone’s Coinbase 
account to withdraw money from Mr. Dellone’s online bank account, which was connected to 
the Coinbase Platform. The “digital dollars” Defendants transferred from Mr. Dellone’s bank 
account to the Coinbase Platform were then used by Doe Defendants to purchase more Bitcoin, 
which, once again, Coinbase irrevocably transferred to Doe Defendants’ cryptocurrency Wallet. 
9. Although Mr. Dellone was asleep when his Coinbase account was plundered, he noticed 
the unauthorized account activity shortly after he woke up to get ready for work, mere hours 
after the initial breach. He immediately reported the unauthorized activity to Coinbase. 

10.‘ In turn, Coinbase locked Mr. Dellone, but frustratingly not DOES 1-50, out of his 
account. 

11, Coinbase has informed Mr. Dellone that, in Coinbase’s view, Mr. Dellone is “100% 
responsible” for the losses resulting from the fraud on his account—and not just the losses he 
personally sustained, but for both his and Coinbase’s purported losses, alike. 

12. Within days of squandering every cryptocurrency Mr. Dellone had patiently acquired 
during his eight-year tenure as a loyal Coinbase customer, Coinbase (Coinbase’s “customer 
support” agents) began emailing Mr. Dellone, demanding that he “reimburse” Coinbase for the 
fraudulent bank transactions Coinbase itself negligently perpetuated on its own Platform. 

13. Incredibly, even after acknowledging the fraud, Coinbase issued Mr. Dellone a truly 
disgraceful and audacious ultimatum: either pay Coinbase the “reimbursement” money Coinbase 
baselessly claims it is owed, or remain locked out of his Coinbase account indefinitely. 

14. For years, Coinbase has exploited legal ambiguities and technological obscurities to 
wield its far-superior bargaining power and resources as swords, to riposte Mr. Dellone and 
innumerable other victimized Coinbase customers like him, by using deception and bully tactics, 


duplicitous fool’s errands, wily one-sided contracts, and utter “customer support” quackery. 
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15. | Coinbase’s flagrant disrespect for Mr. Dellone’s privacy and personal property rights, 
and for the plain and simple truth, have only benefitted Coinbase. Meanwhile, Mr. Dellone, and 
many other retail Coinbase customers, as well as the broader “crypto-economy,” Coinbase’s 
competitors in the emerging financial sector writ large, and overall consumer confidence in 
governmental regulatory bodies charged with protecting retail financial consumers like Mr. 
Dellone (e.g., the Consumer Financial Protection Bureau (“CFPB”)), all suffer from 
Coinbase’s brazenly unprincipled conduct. 

16. | Since December 14, 2021, Mr. Dellone has been deprived of the 0.5 bitcoins he acquired 
in or around 2013, which had personal and sentimental value to Mr. Dellone; more than 37.5 
million virtual tokens and unique cryptocurrencies, comprising more than 20 distinct digital 
assets (worth in excess of $70,000, collectively); his valuable online account information and 
data, which Coinbase leaked to unauthorized third-parties; and over $2,000 worth of dollar- 
denominated transaction fees collected or retained by Coinbase, resulting directly from the fraud 
that occurred on his Coinbase account. 

17. By this Complaint, Mr. Dellone intends to hold Coinbase accountable for its predatory, 
prejudicial, and senseless acts and business conduct, and for its breaches of its duties and 
reasonable care, which have resulted in Mr. Dellone’s losses of his personal property and 
privacy, excruciating financial and emotional harms, and increased risks and costs Mr. Dellone 
has and continues to endure and incur to this day. 

18. Mr. Dellone intends to hold DOES 1-50 accountable as well, for the injuries and losses 
they jointly and severally caused him when they unlawfully accessed, interfered with, or received 
Mr. Dellone’s digital assets, and for their violations of federal and state privacy and computer 
laws, as further alleged below. 

1. This Complaint also asserts Mr. Dellone’s rights to and against the Bitcoin Wallet and 
the 2.05698427 Bitcoins currently located in the Bitcoin Wallet with the public key address, 
bclqjp79ak6fxm4h 7j0tsrwqx2n2k4tcqqveqxrvgm; the Tezos “staking rewards” earned by Mr. 
Dellone’s Coinbase account from December 14, 2021 to the present; the BSV tokens sent to the 


BSV Wallet with the public key address, 1420 HF L8GGyuKCvbFtGw9PqQ5Urspwn9uuvy; and 
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the U.S. Dollar Coins (“USDC”), and all other digital assets traceable to any digital wallets 
associated with Mr. Dellone’s Coinbase account prior to the breach of his account. 
THE PARTIES 

20. Plaintiff Ryan Dellone is an individual citizen and a resident of Fresno, California. 
21. | Defendant Coinbase Global, Inc. (“Coinbase Global’) is a publicly-traded Delaware 
corporation involved in the business of cryptocurrency exchange, among other interrelated 
businesses. Coinbase Global has no formal physical headquarters, as it is a “decentralized” and 
“remote first” company. 
22. Defendant Coinbase, Inc. (“CBI”), is a Delaware corporation, and a wholly-owned 
subsidiary of Coinbase Global. 
23. CBI and Coinbase Global are operated as one corporation. Coinbase Global’s SEC filings 
refer to CBI and Coinbase Global, together with subsidiaries of Coinbase Global, as “Coinbase.” 
This Complaint does the same. 
24. The true names of Doe Defendants (DOES) 1-50 are not currently known to Plaintiff. 
Plaintiff will amend this Complaint to allege the true names of each unnamed Defendant as soon 
as Plaintiff ascertains their true names. 
25. Plaintiff claims exclusive right and legal title to, and ownership of those 2.05698427 
bitcoims currently held in or associated with the Bitcoin Wallet address, 
belqjp79ak6fxm4h7j0tsrwqx2n2k4tcqqveqxrvgm (the “bel Wallet’). 

JURISDICTION AND VENUE 
26. This Court has federal question subject matter jurisdiction over this case pursuant to 28 
U.S.C. § 1331, as this action is brought pursuant to the Electronic Fund Transfer Act of 1978 
(15 U.S.C. § 1693, et seq.), and the Computer Fraud and Abuse Act (18 U.S.C. § 1030, et seq.). 
2). This Court has diversity jurisdiction over this matter under 28 U.S.C. § 1332(a)(2) 
because the amount in controversy exceeds $75,000 (exclusive of costs and interest), and 
Plaintiff is completely diverse from Coinbase. Plaintiff is a resident of California. CBI is a 
Delaware corporation. Coinbase Global is a Delaware corporation, or is “decentralized.” 


28. On information and belief, DOES 1-50 are completely diverse from Plaintiff. 
4 


COMPLAINT 


THE LAW OFFICE OF ETHAN MORA 


1040 E. HERNDON AVE., SUITE 202 


FRESNO, CA 93720 


— 


1oS) 


Nn 


Case 1:23-cv-01408-ADA-HBK Document1 Filed 09/26/23 Page 6 of 87 


29. This Court has jurisdiction pursuant to section 1331, because this Complaint presents 
fundamental questions pertaining to, or otherwise interpreting or applying the Bank Secrecy Act 
(31 U.S.C. § 5311), the Stamp Payments Act of 1862 (18 U.S.C. § 336), and the Securities 
Exchange Act (15 U.S.C. §§ 77-78c. et seq.). 
30. This Court has supplemental jurisdiction over Plaintiffs state law claims, pursuant to 28 
U.S.C. § 1367, because those claims are derived from a common nucleus of operative facts. 
31, This Court has personal jurisdiction over Defendants because Defendants transacted 
business, maintained substantial contacts, or committed overt acts in furtherance of their illegal 
schemes throughout the United States, including in this District. Defendants’ conduct has been 
directed at, and has had the intended effect of causing injury to persons residing in, located in, 
or doing business throughout the United States, including in this District. 
32. This Court has territorial guasi in rem jurisdiction because Plaintiffs rights to the 
property (or “ves”’), and the res itself, at issue in this Complaint are, on information and belief, 
present in this jurisdiction. The res is: the bel Wallet and/or the 2.05698427 bitcoins located at 
the bc Wallet as of the date of filing this Complaint. 
33. Venue is proper in this District pursuant to 28 U.S.C. § 1391(b) and (c) because a 
substantial part of the events giving rise to the claims occurred in this District, and because 
Defendants transact business in, are found in, and/or have agents in this District, and have 
substantial and systematic contacts in this District. 
FACTUAL ALLEGATIONS 

I. Background 
34. Plaintiff Ryan Dellone opened his Coinbase account in October 2013. 
35. Mr. Dellone was a markedly conservative user of the Coinbase Platform. In all his years 
as a Coinbase customer, Mr. Dellone initiated fewer than 300 transactions, total, on the Coinbase 
Platform. 
36. Mr. Dellone is a father, a husband, and a Registered Nurse. Mr. Dellone routinely sleeps 
during daytime hours because he works the nightshift in the Intensive Care Unit at one of 


California’s largest hospitals. 
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37. | Defendant Coinbase is a consumer retail financial institution that provides its customers 
products and services, including custodial and digital currency exchange services relating to 
cryptocurrencies and other emerging electronic financial assets. 

38. | Coinbase was founded in May 2012. 

39.  Coinbase became a publicly-traded company in April 2021. 

AO. Coinbase operates in over 100 countries and has over 1,000 employees. Coinbase claims 


‘ 


to support over 50 million “verified” users on its Platform. In the fourth quarter of 2021, 
Coinbase claims it facilitated over $330 billion in cryptocurrency transactions on its Platform.! 
Al. Coinbase has dubbed the Coinbase Platform’ (or itself) the “most trusted crypto 
exchange,” and has claimed to be “one of the longest running crypto platforms where customers 
have not lost funds due to a security breach of the platform.”> + 

42. The cryptocurrencies and other digital financial assets currently under Coinbase’s 
“management” are, collectively, worth hundreds of billions of U.S. Dollars. 

43. Coinbase has millions of units of Bitcoin (“bitcoins,” or “BTC’’) under its management. 
Most of the assets under Coinbase’s “management” belong to Coinbase’s customers. 

44. In December 2021, Coinbase “managed” or controlled more than 2.05 bitcoins belonging 
to Mr. Dellone. 

45.  Bitcoin is an electronic peer-to-peer (“P2P”) cryptocurrency that is digitally transferrable 
between two or more parties, without need for an intermediary. Bitcoin uses a decentralized, 
distributed public blockchain ledger to record the number of “unspent transaction outputs” 


associated with digital “Wallets” that transact using the “Bitcoin Blockchain” ledger. Bitcoins 


and certain crypto-assets similar to bitcoins, are comparable to physical cash currencies, like 


' See Coinbase, Letter to SEC Re: Custody Rule and Digital Assets, dated May 25, 2021 (accessed April 17, 2023), 
https://www.sec.gov/files/coinbase-05252 1.pdf (“Coinbase was founded in 2012 as a consumer platform that makes 
it easy to purchase, sell, and transact in cryptocurrency. ... We support over 56 million verified users across more 
than 100 countries who, in the last quarter, have traded over $330 billion in cryptocurrency on our platform.”). 

? Although technically Coinbase operates and has operated more than one cryptocurrency exchange website (e.g., 
“Coinbase Pro,” “Coinbase,” “GDAX”’), this Complaint refers to every Coinbase website (or so-called “platform’’) 
Mr. Dellone has used as, collectively, the “Coinbase Platform” (or the “Platform’’). 

3 Coinbase, Security, https://www.coinbase.com/security (accessed March 14, 2023). 

4 See, Coinbase Global Inc., SEC General Form for Registration of Securities (Form S-1) 


https://www.sec.gov/Archives/edgar/data/1679788/000162828021003168/coinbaseglobalincs-1.htm (“SEC Form- 
1”) (Feb. 25, 2021). 
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U.S. Dollars (“USD”) or gold coins, because the assets are: (i) tangible (i.e., they can be 
transferred directly between parties, P2P); (ii) easily-movable (i.e., they can be sent to and from 
virtually anywhere in the world); and (iii) valuable (e.g., bitcoins are valuable because there are 
only 21 million units that will ever be placed into circulation; and only a handful of entities, 
including Coinbase, each control thousands of the approximately 19,000,000 BTC currently in 
circulation). 

46.  Bitcoin and similar crypto-assets are not comparable to credit, debit, or any other familiar 
financial instruments based on underlying assets or obligations. Cryptocurrencies—specifically, 
the “unspent transaction outputs” and the cryptocurrency “Wallets” recorded on public, 
decentralized (or distributed) blockchains—are, themselves, the assets. They function much like 
fiat currency coins and paper bills; not like redeemable shares, contracts, or stock certificates. 
47. Unlike traditional physical cash fiat currencies, however, BTC can exist in multiple 
places, simultaneously, all at once; and control of BTC is proved by “spending” the BTC (or 
unspent transaction outputs) by initiating a valid transaction recorded on the Bitcoin Blockchain. 
With Bitcoin, any number of random strangers anywhere on earth can, theoretically, each have 


in their respective possessions, the exact same asset; because the asset is the exact same asset, if 


one person “spends” the asset, no one else with possession of the asset can spend the asset in the 
future (they are entirely dispossessed of the BTC as soon as it is spent). A person may “spend” 
BTC by moving it from one Wallet to another, either in a self-transfer between Wallets the person 
owns, or by transferring the BTC to another person’s Wallet. 

48. The hundreds of billions of U.S. Dollars’ worth of tangible, valuable, and easily-movable 
cryptocurrencies (essentially virtual “cash”) under Coinbase’s management is almost 
unfathomable by comparison to any familiar physical financial asset. Conceptually, if the 
cryptocurrencies under Coinbase’s management were in physical form, they would probably 
look like mountains of cash-equivalent hard assets of the sort Scrooge McDuck might dive into, 
or like stacks of paper currency piled so high Pablo Escobar could have blushed at the sight. 

49. _ Using the digital assets and cryptocurrencies Coinbase has on-hand (under its control), 


Coinbase facilitates millions of revenue-generating P2P transactions each month. 
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50. Coinbase’s primary source of revenue is “transaction revenue,” which Coinbase 
generates from the fees it collects for facilitating digital asset transactions on its Platform. 
51. In the first quarter of 2023, Coinbase recorded $352 million in “transaction revenue.” In 
Q4-2022, Coinbase recorded $322 million of the same. However, between October and 
December 2021 (the quarter when the events giving rise to this suit began), Coinbase recorded 
an astonishing $2.3 billion in transaction revenue. For context, Coinbase’s total company 
revenue in Q4-2021 ($2.49 billion) was nearly the amount of total state tax revenue collected by 
the entire State of Nevada during the exact same time period ($2.53 billion).° 
52. A portion of the “transaction revenue” Coinbase collected in Q4-2021 was unearned, or 
unethically earned, and has been unjustly retained by Coinbase. 
53. On information and belief, a substantial portion of the transaction revenue Coinbase 
collected between 2017 and 2022 was the direct result of fraud and Coinbase’s unfair and 
unconscionable company policies, which, for instance, instructed Coinbase’s employees and 
agents to make concerted efforts to hold its retail customers “100%” liable for all transactions 
completed on their Coinbase accounts—including clearly fraudulent transactions Coinbase 
improperly facilitated without customer permission in the course of its ruthless campaign to 
inflate its bottom line. 

A. Types of Digital Assets on the Coinbase Platform 
54. The term “digital assets” refers to intangible, electronically-recorded items stored on a 
computer, digital device, or network (e.g., digital data; digital currencies; crypto-assets). 
55. A “digital currency” is any currency available exclusively in electronic form, which is 
not based on fiat currency. 
56. The term “crypto-asset” refers broadly to digital unspent transaction outputs recorded on 
a blockchain-based ledger. Crypto-assets fundamentally exist in cryptographically-secure 
“Wallets,” and are reflected on public, decentralized (or distributed) blockchain ledgers. A 


“cryptocurrency,” is a class of crypto-asset that is also a “digital currency” (like BTC). 


5 Compare, Coinbase, Quarterly Earnings (available at https://investor.coinbase.com/financials/quarterly- 

results/default.aspx) with Census.gov, 2021 Quarterly Summary of State & Local Tax Revenue Tables (available at 

https://www.census. gov/data/tables/202 1/econ/qtax/historical.Q4.html#list-tab-495435 152) (accessed June 2023). 
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57. A“‘stablecoin” is a digital currency or crypto-asset that derives its price from the price of 
a specific reference asset to which the digital currency or crypto-asset is pegged. 


58. A “Security Token” is a type of crypto-asset that is not a digital currency, and which 


represents or constitutes an investment contract. 

59. The term, “Wallet” (or “Crypto Wallet”) refers to a blockchain-based “key pair” 
consisting of a digital public key and a digital private key. A “public key” is a Wallet’s public- 
facing digital address; it is used to receive inbound crypto-assets and encrypt outbound 
transaction data. A “private key” is used to facilitate the transfer of crypto-assets out of a Wallet, 
and to prove ownership over crypto-assets held in a Wallet. A private key is also a blockchain- 
based asset, as it allows anyone to control the “unspent transaction outputs” associated with its 
corresponding public key address. 

60. Any person or entity with access to a Wallet’s private key can control the assets (or 
unspent transaction outputs) in the corresponding Wallet, and can thus transfer those assets to 
another Wallet. 


‘ 


61. In this Complaint, the term “digital wallet” or “wallet” (lower-case) denotes that a 
“wallet” is not a “Wallet” (or Crypto Wallet). 

62. Coinbase provided Mr. Dellone with at least one financial account, or digital “wallet,” 
which Coinbase has referred to as a “USD Wallet”; Coinbase also provided Mr. Dellone with 
various other digital wallets that Coinbase has referred to, generally, as “Digital Currency 
Wallets.” In this Complaint, the “USD Wallet” and other so-called “Digital Currency Wallets” 
(i.e., the digital wallets issued by Coinbase), are distinguished from Crypto Wallets, as 


““Coinbase-issued wallets.” 


63. Though some of the financial accounts Coinbase calls “Digital Currency Wallets” may 
reflect real, underlying Crypto Wallets owned by Coinbase’s customers, Coinbase-issued wallets 
are notably distinguishable from Wallets because Coinbase-issued wallets are made accessible 
to consumers exclusively through Coinbase’s centralized Platform. Conversely, crypto-assets 
stored in “Wallets” controlled (or hosted) by Coinbase can be transferred without logging into a 


Coinbase account, using only the Wallet’s private key. 
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64. Unlike transactions between Wallets, only Coinbase account credentials—and not (or at 
least not exclusively) a blockchain-based private key—are required to initiate electronic fund 
transfers from Coinbase-issued wallets. 
65. Electronic fund transfers between Wallets, which are recorded on blockchains, do not 
inherently require Coinbase’s express approval and facilitation, unlike transactions between 
Coinbase-issued wallets. 
66. Transactions between Wallets are almost always irreversible, unlike transactions 
between Coinbase-issued wallets, which can be reversed by Coinbase. 
67. Electronic financial transactions between Coinbase-issued wallets require Coinbase’s 
express authorization and facilitation to effectuate the transfers, and are reversible exclusively 
by Coinbase. 
68. Unlike transfers between Wallets, transfers between Coinbase-issued wallets afford 
Coinbase the ability to rapidly facilitate exchanges and transfers of crypto-assets on its Platform. 
Coinbase has publicly promoted its facilitation of asset and currency exchanges and transfers on 
its Platform as “the easiest solution” for retail consumers of crypto financial products who are 
looking to “buy, sell, send, and receive crypto.’ 

1. USDC Stablecoins are Not Legal Tender 
69.  Coinbase circulates, pays out, and is one of the companies responsible for issuing a 
stablecoin called “USD Coin” (or “USDC”).’ 
70. In the United States, it is a crime “to issue, circulate, or pay out any note . . . token or 
other obligation, for a sum less than $1, intended to circulate as money or to be received or used 
in lieu of lawful money of the United States.” STAMP PAYMENTS ACT OF 1862, 18 U.S.C. § 336. 
vale Coinbase has advertised that, “[u]nlike regular US dollars, USD Coin doesn’t require a 
bank account. It doesn’t require that [users] live in a particular geography.” 


72. USDC is purportedly reserve-backed by legal tender fiat currency. Coinbase claims its 


® Coinbase, How to set up a crypto wallet, https://www.coinbase.com/learn/tips-and-tutorials/how-to-set-up-a- 
crypto-wallet (accessed Mar. 2023). 

7 See Circle, USD Coin — Ecosystem, https://www.circle.com/en/usdc/ecosystem (accessed April 24, 2023) (‘USDC 
is accessible via dozens of digital asset exchanges’’). 
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customers “can always redeem 1 USD Coin for US$1.00.” Coinbase advertises that “[e]ach 
USDC 1s backed by one dollar or asset with equivalent fair value, which is held in accounts with 
US regulated financial institutions.”® 

73. In addition to providing its customers with Coinbase-issued USDC wallets, Coinbase 


encourages its customers to connect their traditional online bank accounts to the Coinbase 


Platform. 
74. Mr. Dellone connected his online bank account to the Coinbase Platform. 
75.  Coinbase customers can transfer obligations to pay US Dollars directly between the 


Coinbase Platform (i.e., Coinbase) and the customer’s bank. 

76. Coinbase customers, including Mr. Dellone, have used their Coinbase accounts to store 
USD-denominated “digital dollar” obligations in their respective Coinbase-issued USD wallets, 
which are made available to customers on the Coinbase Platform. 

77. Mr. Dellone, and other Coinbase customers with bank accounts linked to the Coinbase 
Platform, have used their bank accounts to purchase and “cash out” digital assets they custody 
with Coinbase, both into fiat currency and into USDC. 

78.  Coinbase invites its customers to use USD and USDC interchangeably. 

79. Since at least 2020, Coinbase has shown preference toward its customers’ use of USDC, 
over USD. For example, Coinbase has advertised that, unlike U.S. Dollars, which have limited 
denominations, Coinbase customers can “hold as little as 0.000001 worth of USD Coin.” 

80. Coinbase has issued, circulated, and paid out “USD Coins” for sums less than $1. 

81. Plaintiff is informed and believes, and on that basis alleges, Coinbase has deliberately 
mispresented USD Coin to Mr. Dellone and to all Coinbase’s customers, intentionally conflating 
“USD” and “USDC,” intending to confuse and, in fact confusing, many Coinbase customers, 
including and especially average retail investors and consumers like Mr. Dellone. 

82. Mr. Dellone was confused by the distinction between USD and USDC, and through no 
fault of his own, Mr. Dellone was almost completely unaware of the profound risks with respect 


to USDC transactions and online USDC “accounts” managed by Coinbase. Among these risks, 


8 Coinbase, USD Coin, https://www.coinbase.com/usdc (accessed Mar. 2023). 
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the risk that Coinbase can, at any time, at its sole discretion, refuse to exchange USDC for USD, 
by, for instance, locking a customer who owns USDC out of his Coinbase accounts for virtually 
any reason Coinbase decides. 

83. | USDC is not legal tender. 

84.  Coinbase has intended to circulate “USDC” as money, or else has intended that USDC 
be received or used in lieu of lawful money of the United States, in violation of federal law. 


2. Tezos Security Tokens are Investment Contracts 


85. Mr. Dellone used the Coinbase Platform to invest in a Security Token called “Tezos” 
(“XTZ’’). 
86. Coinbase has not recognized XTZ tokens as investment contracts regulated by U.S. 


securities laws. Therefore, Coinbase does not consider itself required to abide by the consumer- 
protection provisions of the Securities Exchange Act (15 U.S.C. §§ 77-78c. et seq.) with respect 
to Coinbase’s activities involving the XTZ Security Tokens. 

87. Inearly 2021, Mr. Dellone purchased 92.336053 XTZ for $350. In so doing, Mr. Dellone 
exchanged money or digital assets for XTZ tokens, and he paid Coinbase fees for executing those 
transactions. Mr. Dellone then “staked” (or “baked”) his XTZs by leaving his XTZs in his 
Coinbase account. As opposed to selling or exchanging his XTZs for profit, Mr. Dellone earned 
XTZ “reward payments” for staking his XTZs with Coinbase. 

88. Mr. Dellone’s “reward payments” began accruing in May 2021, and those rewards 
accrued, and would have continued accruing to date, absent Coinbase’s wrongful acts as further 
described herein. 

89. By purchasing XTZs, Mr. Dellone invested his money in the Coinbase Platform and in 
the Tezos blockchain, expecting that he would passively earn profit from staking (or baking) his 
XTZs to earn “rewards,” without any work on his part, resulting solely from the increase in the 
value of his XTZs, and from the accrual of his staking rewards over time. 

90. | Mr. Dellone has been deprived of his XTZ tokens and rewards because, in or around 
December 2021, Defendants exchanged most if not all his XTZs, for bitcoins; and because 


Coinbase has interfered with his right to receive his XTZ staking rewards. 
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91. | When Mr. Dellone invested in XTZ tokens—which were made available to him by 
Coinbase—Mr. Dellone helped fund both Coinbase, and the Tezos blockchain. 
92. Mr. Dellone earned measurable profits, which were reflected in his Coinbase-issued XTZ 
wallet, and which resulted solely from the efforts of Coinbase. 
93. The XTZs formerly held in Mr. Dellone’s Coinbase-issued Tezos (XTZ) wallet, 
including the XTZ rewards he earned through the Coinbase Platform, are investment contracts 
and securities under the Securities Exchange Act. 
94.  Coinbase caused Mr. Dellone to lose his XTZs when Coinbase converted all or 
substantially all his XTZs to BTC on December 14, 2021. 
95. | Since December 14, 2021, Coinbase has intentionally and unreasonably deprived Mr. 
Dellone of the XTZ tokens that accrued in, and were stored in his Coinbase account prior to the 
fraudulent transactions that occurred on his Coinbase account. 
96. Coinbase has inequitably retained the Tezos-specific benefits it received from Mr. 
Dellone’s investment in XTZs, and Mr. Dellone has been harmed by Coinbase’s conscious 
business decision to impose substantial risks on Mr. Dellone, by proceeding to carelessly offer, 
broker, and facilitate his Security Token transactions on its Platform while ignoring applicable 
securities laws aimed at protecting Mr. Dellone as an average retail investor. 

B. Coinbase is a “Custodial Wallet Service Provider” 
97. The permanent loss of a Wallet’s private key can, and almost always does result in the 
irrevocable loss of all crypto-assets in or associated with that Wallet. 
98.  Coinbase has advertised the “custodial” (or “hosted’”) Wallet services it purportedly 
provides, as a solution to consumers’ worries regarding inadvertent, irreversible losses of crypto- 


assets. See Coinbase, How to set up a crypto wallet, https://www.coinbase.com/learn/tips-and- 


tutorials/how-to-set-up-a-crypto-wallet (accessed June 12, 2023) (“It’s called hosted because a 


third party keeps your crypto for you, similar to how a bank keeps your money in a checking or 
savings account. You may have heard of people ‘losing their keys’ or ‘losing their USB wallet’ 
but with a hosted wallet you don’t have to worry about any of that.”’). 


99. The type of custodial Wallet services Coinbase has advertised are typically offered by 
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centralized, sufficiently-capitalized’, and insurable for-profit corporations, because hosted 
Wallet providers, including Coinbase, assume custody, and therefore possession and a significant 
degree of control of their customers’ valuable digital assets. 

100. By contrast, “non-custodial” Wallet service providers are commonly decentralized, 
distributed, and sometimes not-for-profit organizations, as non-custodial Wallet providers 
merely present customers with easier ways to create, hold, and directly transact with Wallets in 
the customer’s—not the service provider’s—custody. Non-custodial Wallet providers, by 
definition, cannot assert or take custody of their customers’ crypto-assets. Accordingly, 
customers of non-custodial Wallet service providers take full responsibility for maintaining and 
securing their own private keys and crypto-assets. 

101. Coinbase is a “custodial Wallet service provider” because Coinbase: (a) requires that its 
customers maintain and use electronic financial accounts hosted by Coinbase, in order to access 
their crypto and other digital assets they own; (b) assumes custody of its customers’ private keys 
and the crypto-assets owned by its customers; and (c) can unilaterally permit access to and 
prevent transfers of customer-owned crypto-assets in its custody. 

102. Coinbase has promoted and advertised its unilateral ability to authorize changes to 
Coinbase account credentials as a security, or account protection, feature that most if not all 
custodial Wallet service providers in the crypto-economy offer. See, e.g., (“The main benefit of 
keeping your crypto in a hosted wallet is if you forget your password, you won’t lose your crypto 
[because a custodial Wallet service provider can reset its customers’ passwords].”)!° 

103. Coinbase has advertised the services it provided Mr. Dellone as including benefits and 
protections that “non-custodial” Wallet providers do not, and by definition, cannot provide. See 
Coindesk.com, Custodial wallets vs. non-custodial wallets (with custodial Wallet service 
providers, “[t]he individual user is not responsible for protecting the private key to the wallet 
and therefore places trust in the business [i.e., Coinbase] keeping the private key safe. When a 
° But see, e.g., Commodity Futures Trading Commission, CFTC Charges Sam Bankman-Fried, FTX Trading and 


Alameda with Fraud and Material Misrepresentations — Release Number 8638-22, published December 13, 2022, 
https://www.cftc.gov/PressRoom/PressReleases/8638-22 (accessed April 24, 2023). 


‘0 Coinbase, How to set up a crypto wallet, https://www.coinbase.com/learn/tips-and-tutorials/how-to-set-up-a- 
crypto-wallet (accessed June 12, 2023). 
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user wishes to send coins out of a custodial wallet, they simply log in to the platform with a 
username and password, input the public key of the location to where they wish to send coins, 
and the business is responsible for inputting the private key to complete the transaction.”).!! 
104. As a custodial Wallet service provider, Coinbase intentionally bargained for, and has 
received benefits from misrepresenting the quality and features of the custodial services it 
purports to provide. Coinbase has unjustly received and retained these benefits as a result of 
misrepresenting its willingness and ability to comply with the higher standards of care applicable 
to all regulated custodial Wallet service providers serving the crypto-economy and California 
retail financial consumer customers, like Mr. Dellone. 

C. Coinbase’s Claims It Uses Its Customers’ Data for “Security” Purposes 
105. Coinbase collected and maintains various categories of data from and about its 
customers, and Coinbase intended to, and did, convince Mr. Dellone that his money and 
property, which he had entrusted to Coinbase’s custody, were reasonably secured by Coinbase’s 
use of the data he (and other Coinbase customers) shared with Coinbase and consistently 
permitted Coinbase to collect from and about him, by nature of his relationship with Coinbase. 
106. Coinbase assured Mr. Dellone that Coinbase and its Affiliates were prepared to (and at 
times, did) take appropriate actions based on the data Coinbase collected from and about Mr. 
Dellone. In October 2021, for example, and on numerous other occasions prior, Coinbase 
represented to Mr. Dellone that Coinbase uses the data it collects from and about him, and other 
Coinbase customers, to prevent and respond to unauthorized and fraudulent activity on the 
Coinbase Platform, and to identify Mr. Dellone as a Coinbase customer. '* These representations 
were false, and Coinbase knew that when it made the representations. 

1. Coinbase Collected Troves of Identification Data from Mr. Dellone 

107. Along with other cyber-identification data, Coinbase collected the following information 
from and about Mr. Dellone, and to some extent, from and about the Doe Defendants who 
wrongfully accessed Mr. Dellone’s Coinbase account: (i) Device IDs; (ii) IP Addresses; (iii) data 


' https://www.coindesk.com/learn/custodial-wallets-vs-non-custodial-crypto-wallets/ (accessed Nov. 14, 2022). 
'2 See User Agreement, Privacy Policy, Exhibit A (Privacy Policy begins at p. 19). 
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from Cookies; (iv) Behavioral Analytics; and (v) Personally Identifiable Information (“PIT”). 
108. Device IDs are hardware-specific identification numbers, like IMEI numbers and MAC 
addresses. An “IMEI” number (or International Mobile Equipment Identity number) is a wireless 


device’s (e.g., a cellular mobile phone’s) unique 15-digit serial number. A “MAC Address” (or 


Media Access Control address; sometimes called a “hardware address’”’) is a unique, 12-character 
alphanumeric attribute used to identify individual electronic devices on a digital network. 

109. An IP address, or an Internet Protocol address, is a unique address, for example 
“107.77.213.27,” that identifies a device on the internet or on a local network. An IP address 
serves two main functions: it identifies the host (the digital representation of a device) on a 
network; and it provides the geographic location of the computer or other device connected to a 
network. 


110. IP addresses can be disguised by using proxy networks, like a Virtual Private Network 


(or “VPN”). A VPN conceals the true IP address used by a device by redirecting the device’s 
network connection through a proxy server run by a VPN host, which essentially assigns the 
device a new IP address. ° 

111. Cookies are information saved by a web browser when a person uses the web browser to 
visit a website. Cookies are used to recognize a person, or a person’s device, in future online 


interactions. Flash Cookies, also known as “Local Shared Objects” (or “super-cookies”)!4 


, area 
Cookie-variant that collects and stores information about how a person uses a website’s services. 
112. Coinbase has explicitly represented that it uses Flash Cookies for fraud prevention. !° 


113. Behavioral Analytics is the process of collecting and analyzing data from actions 


performed by users of a digital product. In general, companies that use Behavioral Analytics 


(including Coinbase), analyze various forms of digital user data to assess exactly how users 


'3 See Kapersky, What is VPN? How It Works, Types of VPN, https://www.kaspersky.com/resource- 
center/definitions/what-is-a-vpn (accessed March 14, 2023) (“A VPN hides your IP address by letting the network 
redirect it through a specially configured remote server run by a VPN host.”). 
'4 The Electronic Frontier Foundation has described Flash Cookies as a “threat.” Electronic Frontier Foundation, 
Online Behavioral Tracking, https://www.eff.org/issues/online-behavioral-tracking (accessed Apr. 17, 2023) (“New 
threats include ‘super-cookies’ like Adobe’s ‘Local Shared Objects’ .... [and] semi-legal data-sharing 
agreements between Internet service providers and data warehouses . . . . [which] include social networking websites 
that allow advertisers too much access to their users’ behavior and data.”) (emphasis added). 
'S See User Agreement, Cookie Policy, Exhibit A (Cookie Policy, begins at p. 29). 
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interact with digital products (e.g., the Coinbase Platform), and in order to make decisions about 
how to improve their products in the future. 


114. Personally Identifiable Information (“PI”) includes a person’s name and contact details 


(e.g., phone number; email address), usernames, gender, locale/language, location, birthdate, 
user-authenticated virtual documents, and may include device types and other cyber- 
identification data used by a company to control access to the company’s services. 
115. Personally Identifiable Information has significant value to criminals, researchers, 
advertisers, Coinbase’s Affiliates, internet and cellular service providers, political campaigns, 
and consumers. 
116. To many consumers, PII can be just as important as financial data. To some consumers, 
and to some criminals, PII can be even more valuable than a Social Security Number or bank 
account information. 
117. Personally Identifiable Information, including the PII Mr. Dellone shared with Coinbase, 
which Coinbase has collected and retained for nearly a decade, has significant value to Coinbase. 
118. Coinbase had sufficient information about Mr. Dellone, his access devices, his locations, 
and his online behaviors, which Coinbase’s employees, representatives, and agents could have, 
but did not use to prevent unauthorized access to, and fraudulent transactions on Mr. Dellone’s 
Coinbase account. 
119. Based on the information Coinbase had in its possession in December 2021, no person 
or custodial Wallet service provider in Coinbase’s position could have reasonably concluded that 
Mr. Dellone initiated the unlawful transactions that ultimately decimated his Coinbase account. 
2. Coinbase Misrepresents the Reasons It Collects and Stores Consumer Data 
120. Onnumerous occasions prior to December 2021, Coinbase specifically represented to all 
Coinbase customers that Coinbase engages in the routine monitoring of IP addresses, as part of 
Coinbase’s “reasonable risk-based program” aimed at complying with Anti-Money Laundering 


and Know Your Customer (AML/KYC) regulations. !° 


'6 See, e.g., Coinbase SEC Form S-1, supra, n. 1. See also, Coinbase, FAQ — Password Resets, 
https://help.coinbase.com/en/coinbase/privacy-and-security/other/why-will-my-password-reset-require-24-hours-to- 


process (accessed October 2022). 
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121. Additionally, Coinbase has advertised that it only allows customers to “reset their 
passwords from devices they have previously verified, or from locations they have previously 
logged in from.”"” 

122. Mr. Dellone reasonably believed that Coinbase was, for security purposes, persistently 
collecting the geolocations and other device and network data associated with every person 
and/or device that requested access to his Coinbase account. 

123. Mr. Dellone saw and reasonably believed the following statement, or a substantively 
similar statement, posted on Coinbase’s website: “if you [a customer] reset your password from 
a new device, you won’t be able to send crypto from your account for up to 48 hours.” Coinbase 
promoted this feature as one that would help protect its customers from fraud and theft affecting 
their Coinbase accounts, by helping “safeguard against attempts to illegitimately reset [the 
Coinbase customer’s] password.”!® For over eight years, Mr. Dellone believed that Coinbase 
provided this feature consistently with respect to critical actions (e.g., password resets; credential 
changes; irreversible transfers of cryptocurrency) taken on Mr. Dellone’s Coinbase account. 
124. Mr. Dellone allowed Coinbase to retain custody of his digital assets, including his 
valuable private and sensitive data, because he believed that when he, or when anyone, attempted 
to engage in activity involving his Coinbase account, Coinbase would take reasonably 
appropriate precautions to ensure that every action—or, at the very least, every critical account 
change request and irreversible P2P transaction—has been legitimately requested by him, before 
approving or effectuating those actions.'® 

125. Coinbase’s statements regarding its use of customer data convinced Mr. Dellone that 
Coinbase’s services were of a particular quality that would have mitigated or prevented the losses 


and harms Mr. Dellone sustained as a result of Coinbase’s repeated failures to provide Mr. 


Dellone the services and products Coinbase had advertised. 


'7 Coinbase, Password requirements and troubleshooting, https://help.coinbase.com/en/coinbase/privacy-and- 
security/avoiding-phishing-and-scams/password-requirements (accessed October 2022). 

'8 Coinbase, Reset my password, https://help.coinbase.com/en/coinbase/managing-my-account/get-back-into-my- 
account/reset-my-password (accessed October 2022). 

') See, e.g., Coinbase, Scaled compliance solutions from Coinbase, https://www.coinbase.com/compliance 
(accessed April 17, 2023) (showing Coinbase offers various crypto “compliance” services for governments, 
financial institutions, and crypto businesses). 
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I. Coinbase Facilitates Dozens Of Unauthorized Transfers And Critical Account 
Changes—Then Demands Mr. Dellone Reimburse Coinbase For Fraudulent 
Transactions Coinbase Perpetrated Using Mr. Dellone’s Account 

126. On December 14, 2021, Coinbase facilitated numerous unauthorized and exceptionally 
uncharacteristic transactions, and approved multiple critical account changes on Mr. Dellone’s 
Coinbase account, despite Coinbase collecting real-time data, which clearly showed that: (a) the 
devices used to access Mr. Dellone’s account (and initiate an unprecedented flurry of 
transactions) had Device IDs that had never previously accessed Mr. Dellone’s account; (b) the 
access devices were connected to VPNs, which were provided by a European-based company, 
called “M247”; and (c) the geolocations of the VPN-masked IP addresses were connected to 
servers in Florida and New York. 
127. Since he opened his Coinbase account in October 2013, Mr. Dellone has consistently 
accessed his Coinbase account from California, always using the same network and Internet 
Service Providers to access his account. 
128. Over an eight-year-period Mr. Dellone consistently used familiar, pre-authorized access 
devices (e.g., computers, mobile phones) to access the Coinbase Platform. 
129. In all his time as a Coinbase customer, Mr. Dellone never once used a VPN to disguise 
his IP address when logging into his Coinbase account. 
130. Despite the years of PII, behavioral analytics, and other cyber-identification information 
Coinbase had collected from Mr. Dellone, supposedly for security purposes, Coinbase did not 
merely grant DOES 1-50 unfettered access to Mr. Dellone’s Coinbase account—Coinbase 
allowed DOES 1-50 to retain, and later renew, and then regain access to his account, even, 
shockingly, to Mr. Dellone’s express exclusion. 
131. The actions and omissions of CBI, its agents, executives, employees, and/or its 
“Affiliates,” and the conscious and unethical business decisions made by Coinbase Global, have 
caused Mr. Dellone significant harms, for which Mr. Dellone is now entitled to recover. 

A. Defendants Plunder Mr. Dellone’s Coinbase Account, Robbing Him of $100,000 


in Cryptocurrencies and Exposing His Valuable, Private Data 
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132. Around 3:30 p.m. PST on December 14, 2021, Mr. Dellone’s Coinbase account was 
breached by DOES 1-50 while Mr. Dellone was asleep. 

133. Immediately upon gaining access to Mr. Dellone’s account, DOES 1-50 initiated twenty- 
five (25) consecutive transactions, twenty-three (23) of which were initiated in the span of less 
than ten minutes. Coinbase approved and promptly facilitated each of these transactions. In the 
first set of rapid-fire transactions, Defendants converted twenty-two (22) unique crypto-assets 
belonging to Mr. Dellone, into U.S. dollar-denominated financial assets (USD and/or USDC); 
then, along with approximately $17,000 that was already in Mr. Dellone’s Coinbase-issued “U.S. 
Dollar Wallet” (and/or his “USDC Wallet”) prior to the breach, Defendants purchased over 
$70,000 worth of Bitcoin on the Coinbase Platform. 

134. Coinbase credited the newly-purchased BTC to Mr. Dellone’s Bitcoin Wallet, which, 
prior to the breach of his account, already contained approximately 0.5 bitcoins. 

135. Coinbase also permitted, and inherently assisted DOES 1-50 in purchasing about $1,000 
worth of Bitcoin using Mr. Dellone’s bank account, which was connected to, and accessible via 
the Coinbase Platform. Coinbase credited these bitcoins to Mr. Dellone’s Bitcoin Wallet as well. 
136. Then, at the behest of Doe Defendants, Coinbase transferred the entire balance of Mr. 
Dellone’s BTC Wallet (more than 2.0569 bitcoins) to an “off-Platform” Bitcoin Wallet (a Wallet 
not hosted by Coinbase on the Coinbase Platform) that had never been associated with Mr. 
Dellone or his Coinbase account in any way whatsoever—all in a single, irreversible electronic 
fund transfer. 

137. In other words, after Coinbase swiftly facilitated dozens of unprecedented and clearly 
fraudulent transactions on Mr. Dellone’s Coinbase account, Coinbase sent nearly the entire 
consolidated balance of Mr. Dellone’s account (which, at the time, was worth around $100,000) 
off the Coinbase Platform, to a completely pseudonymous Bitcoin Wallet, all in one, irrevocable 
financial transaction, without even so much as sending a confirmatory “test” transaction to the 
off-Platform Wallet prior to transferring the six-figure lump sum. 

138. Unlike reversible ‘“on-Platform” transactions, which can only be effectuated using 


Coinbase-issued credentials associated with Coinbase-issued digital wallets, “off-Platform” 
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transactions are generally irreversible and require the use of the private key associated with the 
“spending” Wallet. 
139. The transfer of Mr. Dellone’s 2.0569 bitcoins from his BTC Wallet required Coinbase to 
use the private key associated with Mr. Dellone’s Bitcoin Wallet. 
140. Coinbase’s transfer of Mr. Dellone’s Bitcoin to the off-Platform Wallet is the digital 
equivalent of a bank teller dropping a $100,000 bag of cash, representing a bank customer’s 
entire bank account balance, behind a random dumpster located nowhere near the bank, purely 
at the behest of someone who called the bank ten minutes prior, claiming to be the account 
holder. 
141. By 3:50 p.m. PST on December 14, 2021, about twenty minutes after Coinbase first 
approved the initial unauthorized log-in request on Mr. Dellone’s Coinbase account, Mr. 
Dellone’s account was virtually empty. 

1. Coinbase Facilitates Even More Fraud on Mr. Dellone’s Account 
142. Somehow, despite all odds Coinbase ever intended to prevent, mitigate, or rectify the 
financial devastation Coinbase and Doe Defendants caused Mr. Dellone, the pillaging of Mr. 
Dellone’s Coinbase account continued. 
143. Apparently blind to the copious and unmistakable tell-tale hallmarks of fraud on its 
Platform, Coinbase approved the following actions, initiated by one or more Doe Defendants, 
seeking to: (a) change the email address associated with Mr. Dellone’s Coinbase account; (b) 
change the 2FA settings for Mr. Dellone’s account; (c) add a new phone number—a Voice-Over- 
Internet-Protocol (or “VOIP”)”° phone number, with a Montana area code—to Mr. Dellone’s 
account; (d) verify the VOIP number as the primary mobile phone number for Mr. Dellone’s 
account; (e) link a new 2FA authentication mechanism to Mr. Dellone’s account; and (f) 
disassociate Mr. Dellone’s email address and phone number from his account. 
144. Any reasonable person in Coinbase’s position would have recognized that Mr. Dellone 
20 See, e.g., Federal Communications Commission, Voice Over Internet Protocol (VOIP), 


https://www.fec. gov/general/voice-over-internet-protocol-voip (accessed April 17, 2023) (“Voice over Internet 
Protocol (VoIP), is a technology that allows you to make voice calls using a broadband Internet connection instead 


of a regular (or analog) phone line. .. . VoIP can allow you to make a call directly from a computer, a special VoIP 
phone, or a traditional phone connected to a special adapter.”) 
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was not attempting to hastily change his phone number, his email address, and his 2FA settings, 
all at once, for the first and only time in eight years, using previously-unauthorized access 
devices (including an iPhone multiple generations older than his previously-authorized mobile 
access device, which was also an iPhone) by connecting to a foreign-hosted VPN, using IP 
addresses connected to servers in states across the country from where Mr. Dellone has 
consistently accessed the Coinbase Platform. 
145. Considering the grave and foreseeable harms to Mr. Dellone, including the irrevocable 
loss of his PII and other valuable data, no reasonable person in Coinbase’s position would have 
approved the changes Doe Defendants requested. Coinbase, on the other hand, promptly 
approved the changes, defying its own unambiguous promises and legal obligations to Mr. 
Dellone. 
146. Coinbase then proceeded to facilitate additional financial transactions. In one transaction, 
Coinbase sent a cryptocurrency called “BSV”—for which Coinbase only facilitates “off- 
Platform” exchanges—from Mr. Dellone’s BSV Wallet (hosted by Coinbase), to an off-Platform 
BSV Wallet that (like the off-Platform BTC Wallet) had never been associated with Mr. Dellone. 
147. Coinbase then facilitated another transaction, which was initiated by a device using a 
New York IP address issued by the same VPN provider (M247) that had issued the Florida IP 
address responsible for the previous instances of fraud detailed above. In this transaction, 
Coinbase allowed DOES 1-50 to, once again, use Mr. Dellone’s bank account to purchase 
approximately $200 more in Bitcoin. Coinbase again deposited the BTC to Mr. Dellone’s Bitcoin 
Wallet before transferring the BTC from his Wallet to the Doe Defendants’ off-Platform Wallet. 
148. When Mr. Dellone later informed his bank that the Bitcoin purchases executed on the 
Coinbase Platform were fraud, Mr. Dellone’s bank reversed the charges. 

2. Summary of Mr. Dellone’s Cryptocurrency Losses 
149. “Table _A” (Summary of Converted Assets), set forth below, lists the crypto-assets 


converted and/or stolen from Mr. Dellone by Defendants on December 14, 2021: 
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Token 
ETH 
Ce 
ETC 
Cisl 
ADA 
ZRX 
LINK 
ANKR 
LCX 
SUKU 
XTZ 
SHIB 
EOS 
XLM 
DNT 
ASM 
MATIC 
BAT 
OMG 
TRAC 
CVC 
USD-BTC 
BTC Buy 
USD-BTC 


Table A 


(Summary of Converted Assets) 


BTC Transfer Off-Platform 


BSV Transfer Off-Platform 
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6.60611257 
88.599 16563 
170.5156815 
1,931.78 
637.4547 
804.0188919 
122.1935986 
6,215.40 
3,234.52 
4,161.78 
93.53412 
37,479,605.75 
102.3689 
1,021.82 
1,955.06 
2,750.43 
199.0150769 
143.7168994 
1.17787025 
204.2707539 
346.1700191 
1.50871977 
0.02081577 
0.00405624 
2.05698427 
1.72706484 
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B. Mr. Dellone Immediately Reports Fraud to Coinbase 
150. When Mr. Dellone woke up to get ready for work, around 5:30 p.m. PST on December 
14, 2021, he opened the Coinbase mobile application (which he had installed on his iPhone). To 
his dismay, he saw his account had a $241 balance. Mr. Dellone immediately called Coinbase 
and reported the fraud. 
151. Although Coinbase had apparently sent automated notices regarding the unauthorized 
account activities to Mr. Dellone’s listed points of contact, these notices arrived either while Mr. 
Dellone was unable access his mobile device and/or his email account, or after Coinbase had 
already approved or effectuated the actions and transfers DOES 1-50 had initiated. 
152. Inresponse to Mr. Dellone’s call reporting the unauthorized activity, Coinbase opened a 
“support ticket.” Coinbase also automatically sent Mr. Dellone an email (the “Recovery 
Email”)! explaining how to disable authenticator apps and restore SMS 2FA on his account. 
The Recovery Email advised that Mr. Dellone must observe a 24-hour waiting period before his 
access to his Coinbase account would be restored. 
153. Coinbase then locked Mr. Dellone out of his Coinbase account. 
154. On information and belief, Coinbase sent a copy of the Recovery Email to one or more 
of DOES 1-50, and Coinbase directly and exclusively communicated with devices controlled by 
DOES 1-50, or with DOES 1-50, about Mr. Dellone’s Coinbase account, for several hours, 
unbeknownst to Mr. Dellone. 
155. Notwithstanding Mr. Dellone’s timely and good faith efforts to have Coinbase halt and 
reverse the blatantly unauthorized transactions and account changes on his Coinbase account— 
which only Coinbase can do—Coinbase provided DOES 1-50 with exclusive access to Mr. 
Dellone’s assets during crucial periods of time: while Mr. Dellone was commuting to work, 
while he was at work, and while Mr. Dellone was sleeping. 
156. Mr. Dellone, like every human being, requires sleep. The notion that Mr. Dellone ought 
to have been monitoring his electronic devices 24 hours-a-day, 7 days-a-week, 365 days-a-year, 


and never miss a single text message or email from Coinbase is preposterous. 


21 See, Exhibit B — “Coinbase Email Correspondence with Plaintiff,” at p. 13. 
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157. In December 2021, Mr. Dellone was working the nightshift in the ICU at a hospital, and 
during that time, COVID-19 cases were surging in California. 

158. Coinbase has advised Mr. Dellone that Coinbase accepts zero responsibility for the 
fraudulent transactions it facilitated on his Coinbase account; accordingly, Coinbase implies that 
Mr. Dellone should have been awake during the breach of his account and/or during the theft of 
his assets, or that he should have otherwise responded to the unauthorized activity quicker than 
he did. 

159. Within just the first twenty minutes of his account being breached, Coinbase had 
facilitated more fraudulent transactions for DOES 1-50 than Coinbase had facilitated for Mr. 
Dellone himself in the preceding several months, combined. 

160. And Coinbase profited handsomely from the unauthorized, notably fervent transactional 
activity, which, compared to Mr. Dellone’s exceptionally conservative account transaction 
history, was entirely unprecedented. 

161. Asa direct result of the unauthorized transactions on Mr. Dellone’s account, Coinbase 
collected thousands of dollars’ worth of fee-based transaction revenue, at a rate in excess of $300 
per minute. Those fees were taken directly from Mr. Dellone, while he was asleep, without his 
knowledge, consent, or permission, and through no fault of his own. 

162. Coinbase’s misconduct, negligence, incredible ignorance, and sickening greed—and not 
the fact that Mr. Dellone sleeps, or is gainfully employed—caused Mr. Dellone to lose his 
valuable personal property, and his valuable, and in some instances invaluable, irrecoverable, or 
irreplaceable data, including his PII. 

163. In light of the incredibly suspicious cyber-identification data associated with the 
transactions initiated or requested by Doe Defendants, any reasonable person in Coinbase’s 
position would have pegged the belligerent, uncharacteristic activity on Mr. Dellone’s account 
as fraud, either as or before approving those transactions, and certainly before facilitating the 
single transaction that, in one fell swoop, obliterated Mr. Dellone’s eight-year-old financial 
account and all the valuable property he had acquired over the course of nearly a decade. 


164. Mr. Dellone had never transferred any crypto-assets off the Coinbase Platform, and on 
25 


COMPLAINT 


THE LAW OFFICE OF ETHAN MORA 


1040 E. HERNDON AVE., SUITE 202 


FRESNO, CA 93720 


ase 1:23-cv-01408-ADA-HBK Document1 Filed 09/26/23 Page 27 of 87 


December 14, 2021, Coinbase had absolutely no reason to believe he would. Quite the contrary. 
165. No reasonable person, and certainly no regulatorily compliant custodial Wallet service 
provider or crypto exchange in Coinbase’s position would have approved, let alone immediately 
facilitated the unprecedented (for Mr. Dellone) request to irreversibly transfer six-figures worth 
of virtual cash to a pseudonymous account, without first confirming the identity of the person 
requesting the transfer. Coinbase’s conduct was unreasonable and grossly negligent. 

III. Coinbase’s Abysmal Customer Service Obstructs Mr. Dellone’s Recovery 

Efforts And Investigation 

166. Following the 24-hour “waiting period” Coinbase imposed on Mr. Dellone, Coinbase 
restored Mr. Dellone’s access to his account, but not for long. 
167. On information and belief, during and after the 24-hour “waiting period,” while Mr. 
Dellone was still locked out of his Coinbase account, DOES 1-50 retained and enjoyed unfettered 
access to Mr. Dellone’s account. 
168. On information and belief, when Coinbase finally kicked Doe Defendants’ out of Mr. 
Dellone’s Coinbase account, Coinbase sent an email notification regarding Mr. Dellones account 
to Doe Defendants; this communication caused and exacerbated Mr. Dellone’s damages. 
169. Two days after his account was breached, on December 16, 2021, Coinbase sent Mr. 
Dellone a substantive (not automated) email. The email read, in part: “Our team has been able 
to successfully transfer the balance from your old account to your new one. You should be able 
to access these funds immediately.” 
170. Confused and justifiably concerned by this email, given that, to his knowledge, Mr. 
Dellone does not have a “new” Coinbase account, Mr. Dellone replied to the email seeking 
clarity. When Coinbase did not respond to Mr. Dellone’s email request for clarification in a 
reasonably timely manner given the circumstances, Mr. Dellone submitted another support ticket 
via Coinbase’s website. 


171. Mr. Dellone was not able to submit a support ticket using his Coinbase account because 


>? Exhibit B — “Coinbase Email Correspondence with Plaintiff, at p. 2 (Email from Coinbase to Ryan Dellone, dated 
December 16, 2021, at 10:21 PM). 
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he did not (and he still does not) have access to his account. 
172. In response to Mr. Dellone’s second support ticket, Coinbase (more specifically, 
Coinbase’s software) automatically sent Mr. Dellone a classically generic email that merely 
confirmed Coinbase’s generation of another support ticket. The entire email read as follows: 
“Hello, Thanks for submitting your request to Coinbase Support. We’re here to help and will be 
in touch as soon as possible. In the meantime, you can find answers to many of your questions 
by visiting our Help Center [hyperlink to URL omitted]. Regards, Coinbase Support.” 
173. Mr. Dellone visited Coinbase’s “Help Center,” but he found no answers to his questions. 
A. Coinbase’s “Support Team” Attempts to Cover Up Coinbase’s Egregious 
Misconduct and Swindle Mr. Dellone Out of $1,225 
174. On December 17, 2021, three days after Mr. Dellone’s account had been drained, 
Coinbase sent Mr. Dellone an email, which in substantive part, read: 
Your Coinbase account is currently restricted due to an owed balance caused by an 
unsuccessful payment for a transaction that was credited to your Coinbase Digital Wallet. 
Per the terms of the User Agreement, you are responsible for the owed balance in your 
Coinbase account. 
175. Mr. Dellone promptly replied to Coinbase’s December 17 email, explaining that the latest 
transactions on his Coinbase account were fraudulent, and that Coinbase had already opened a 
support ticket related to the fraud. He also explained that, despite Coinbase’s previous claim to 
have transferred a balance of funds to his account, he had never seen any amount credited to his 
account. See Exhibit B, at pp. 3, 6, and 7. 
176. One of Coinbase’s so-called “support” agents replied to Mr. Dellone via email. The 
support agent’s email explicitly acknowledged that Mr. Dellone’s account “may have been 
compromised and unauthorized activity occurred.” Nevertheless, the email advised Mr. Dellone 
that Coinbase had revoked his account access “due to reversed transactions with your [Mr. 
Dellone’s] bank and an outstanding balance owed to Coinbase.” The support agent’s email 
specified that Coinbase would not “reimburse or credit” Mr. Dellone for “this outstanding 


balance owed to Coinbase,” and further that, until he “first resolve[s] the outstanding balance 
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owed to Coinbase,” Coinbase will not even consider restoring his account access. Id. at 5, 6. 
177. Mr. Dellone was then locked out of his Coinbase account again, and to this day, Mr. 
Dellone remains unable to access his account. 

178. For over a year, Mr. Dellone has diligently attempted to regain access to his Coinbase 
account by communicating with Coinbase, taking steps to prove his identity, and by using 
Coinbase’s “support ticket” system, all to no avail. 

179. Due to Mr. Dellone’s persistence, Coinbase eventually contacted Mr. Dellone with what 
Coinbase purported to be instructions for regaining access to his account. Coinbase’s instructions 
advised Mr. Dellone to submit an “ID Selfie”, in order to verify his identity with Coinbase. 
Coinbase’s so-called “ID Selfie” procedure required that Mr. Dellone: first, take a digital picture 
of himself showing his face and him holding one of his government ID cards, along with a piece 
of paper that includes the day’s date and reads “For Coinbase Verification”; then, access the 
SendSafely portal (a third-party web-based application) by using the same email address he used 
to submit his “support ticket”; and finally, upload his “ID selfie” through the “SendSafely” 
portal, using the link included in Coinbase’s email containing the ID Selfie instructions. 

180. Mr. Dellone followed Coinbase’s ID Selfie procedure, per Coinbase’s instructions. He 
then followed up with Coinbase to advise that he had completed the ID Selfie procedure. 

181. Considering the data that had already been exposed to DOES 1-50 through their 
unauthorized access to Mr. Dellone’s Coinbase account, a more appropriate manner of 
confirming Mr. Dellone’s identity than Coinbase’s “ID Selfie” procedure—as opposed to 
uploading his PII to a third-party portal accessible only via an emailed hyperlink—would have 
been presenting his government ID card directly to Coinbase while communicating directly with 
a live Coinbase employee. 

182. Coinbase’s “ID Selfie” procedure has, on information and belief, exposed Mr. Dellone, 
to grave privacy violations. 

183. Coinbase never followed up with Mr. Dellone regarding his “ID Selfie.” Instead, 
Coinbase eventually emailed Mr. Dellone with an ambiguous request for “additional 


information,” which Coinbase implied was yet another prerequisite, in addition to the ID Selfie 
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procedure, that Mr. Dellone must satisfy “before [Coinbase] can resolve this case.” Mr. Dellone 
emailed Coinbase to ask what “additional information” Coinbase required. 

184. More than two weeks after Mr. Dellone’s account had been breached, on December 30, 
2021, Coinbase replied to Mr. Dellone’s email, inviting Mr. Dellone to respond, in writing (via 
email), to a series of questions, purportedly constituting Coinbase’s “security review by email” 
process. 

185. Coinbase sent its “security review by email” questions to Mr. Dellone after Coinbase had 
already asserted, erroneously, that he was responsible for the unauthorized activity on his account. 
Evidently, Coinbase’s “security review by email” questions were aimed, not at resolving Mr. 
Dellone’s immediate concerns, nor at verifying Mr. Dellone’s identity, but at baiting Mr. 
Dellone—a layperson under substantial financial and emotional distress—into hastily and 
unintentionally providing inaccurate or inadequately informed responses to Coinbase’s leading, 
inherently unclear inquiries. For example, Coinbase asked, “Was the device in your possession 
during the unauthorized activity?” This inquiry, lodged without any context, does not specify which 
“device” the inquiry concerns, and it inherently suggests undue significance to “possession,” as 
opposed to “control,” of a device. Coinbase also asked, “Can you provide any further information 
about how your credentials could have been compromised?” This question encouraged heedless 
speculation as to any possible reasons Coinbase might later try and trod out as part of its unscrupulous 
scheme to slither out of liability for its obvious misconduct. 

186. When Coinbase sent its “security review by email” questions to Mr. Dellone, Coinbase was 
well-aware of the fraud on Mr. Dellone’s account, and by that point, Coinbase knew or should have 
known exactly how DOES 1-50 had breached his account. 

187. Coinbase maintains and controls virtually all relevant information concerning the breach 
of Mr. Dellone’s Coinbase account, including data and information about DOES 1-50. 

188. Mr. Dellone has demanded, on numerous occasions, that Coinbase share his account 
information with him. In response, Coinbase has provided Mr. Dellone with records that Mr. 
Dellone has subsequently discovered to be incomplete. For example, the user profile records for 


Mr. Dellone’s Coinbase account, as initially produced by Coinbase, omit the email address and 
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phone number, which DOES 1-50 used to retain control of his account. 
189. The exclusion of certain account information, and of all relevant information to which 
Mr. Dellone, as a California consumer, is entitled, whether intentionally or negligently withheld 
by Coinbase from Mr. Dellone, has caused Mr. Dellone to incur additional and needless 
expenses and harms. 

IV. Coinbase Breached Its Duties To Mr. Dellone 
190. As a unique business that offers unique products and services, Coinbase is subject to 
unique duties and heightened standards of care, namely concerning the electronic fund transfers 
Coinbase facilitates, as well as with respect to its user-authentication and customer data-handling 
practices. 
191. Among digital service providers and online retailers generally, companies (including 
Coinbase) that collect and exploit their users’ data, are subject to heightened standards of care 
regarding how the companies manage and store their customers’ personal and private 
information. 
192. Unlike most conventional consumer financial institutions, Coinbase provides exclusively 
online services, in addition to conventional online “banking” -type services. Coinbase offers 
services related to crypto-assets, including digital asset custodial services, and services by which 
Coinbase facilitates peer-to-peer (P2P) digital asset transfers for its customers. 
193. Although Coinbase offers non- “traditional” online banking services, Coinbase remains 
bound by broader categorical duties and standards applicable to traditional retail consumer 
financial institutions, like banks. Because Coinbase facilitates electronic fund transfers, 
Coinbase is required to use the customer data it collects and maintains to help prevent and 
address unauthorized activity and fraud on the Coinbase Platform. 
194. Moreover, Coinbase is not only a “decentralized” and “remote first” company, Coinbase 
is also a publicly-traded consumer retail financial institution with zero brick-and-mortar branch 
locations, and ostensibly no in-person or live telephone support services for its retail customers. 
195. Given the emerging nature of crypto-assets, and Coinbase’s unique “remote-first,” 


“decentralized” business operations, Coinbase’s standards of care and duties are heightened, and 
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in many ways, are more exacting than traditional financial institutions. 

196. Asacustodial Wallet service provider and online crypto exchange that routinely manages 
and facilitates both online banking and crypto-asset transactions, Coinbase is subject to 
heightened standards of care, specifically with respect to its user authentication practices. 

197. The standards of care and duties Coinbase owed Mr. Dellone are reflected in banking, 
privacy, and securities laws aimed at protecting consumers, retail investors, and the public. 

198. Coinbase was and is required to comply with financial services and consumer protection 
laws, including the strict obligations imposed by the Bank Secrecy Act. See 31 U.S.C. § 5311; 
12 C.F.R. § 208.63. The Bank Secrecy Act’s obligations are reinforced by the USA Patriot Act 
of 2001 (the “Patriot Act’), which underscores the importance of implementing robust internal 
systems to detect and report money laundering and other suspicious activities. 

199. Ataminimum, the Bank Secrecy Act and the Patriot Act require that Coinbase form and 
maintain records and reports, and implement procedures for a “Customer Identification 
Program” aimed at reasonably ascertaining the true identities of the people for whom it facilitates 
transactions. See 31 CFR § 1020.220(a)(2). 

200. Coinbase was and is also subject to the Electronic Fund Transfer Act, 15 U.S.C. §§ 1693 
et seq. (“EFTA’’) and its corresponding regulations implemented by the Consumer Financial 
Protection Bureau (“CFPB”), see 12 C.F.R. § 1005.1, et seq. 

201. Congress designed the EFTA with the “primary objective” of “the provision of individual 
consumer rights.” 15 U.S.C. § 1693; 12 C.F.R. § 1005.1(b) (the “primary objective of the act 
and this part is the protection of individual consumers engaging in electronic fund transfers and 
remittance transfers.”’). 

202. The Bank Secrecy Act, the Patriot Act, and the EFTA require that traditional financial 
institutions, and crypto exchanges that provide custodial Wallet services, including Coinbase, 
take steps to protect consumers by complying with clear, common-sense standards applicable to 
regulated entities. For instance, to properly verify a customer’s identity, a traditional bank with 
physical branch locations might ask its customer to visit a branch office, and present one of the 


bank’s employees with the customer’s government identification card, in person. Of course, a 
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“decentralized” institution, like Coinbase, with no physical branch locations, would be unable 
verify its customer’s identity in the same manner; still, Coinbase is required to employ its 
customer identity authentication procedures in a fashion reasonably consistent within the spirit 
of these laws. 

203. Coinbase has repeatedly touted itself as a regulated, fully-compliant cryptocurrency 
exchange service provider, registered as a Money Services Business with the United States 
Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN’”). 

204. Before the breach of Mr. Dellone’s Coinbase account, Mr. Dellone reasonably relied on 
Coinbase’s representations that Coinbase had been operating in compliance with financial and 
banking regulations, and consistent with consumer data management and cybersecurity 
standards applicable to all regulated custodial Wallet service providers. 

205. Coinbase was or should have been aware, prior to December 2021, that its duties 
concerning the policies, procedures, and practices Coinbase had in place to protect its customers, 
must be based on Coinbase’s “reasonable” assessment of relevant risks, considering: (i) 
Coinbase’s size, location, and customer base; (ii) the various types of accounts maintained by 
Coinbase; (iii) the various types of identifying information available to Coinbase; and (iv) the 
various methods of opening Coinbase accounts. 

206. Contrary to the interests of keeping its customers’ accounts secure, Coinbase failed to 
provide Mr. Dellone with the security features it advertised and was legally required to provide. 
207. Coinbase failed to protect and restore, or otherwise reimburse Mr. Dellone for the 
fraudulent conversion of his assets, despite representing that it would safeguard its customers’ 
assets in a manner consistent with the security and diligence commonly provided by other 
financial institutions and digital asset custodians, such as Coinbase’s competitors. 

208. Coinbase granted unknown parties (DOES 1-50) access to Mr. Dellone’s Coinbase 
account, and authorized and facilitated the exchange and unlawful transfer of every single digital 
asset Mr. Dellone had entrusted to Coinbase’s custody, in flagrant violation of anti-money 
laundering and consumer protection laws. 


209. Mr. Dellone’s assets were stolen from his Coinbase account because Coinbase did not 
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have the customary security and user authentication systems in place to detect and prevent the 
criminal and tortious conduct that resulted in Mr. Dellone’s injuries. 
210. Further, Coinbase’s “ID Selfie” procedure was not consistent with the obligations 
imposed by the BSA or the EFTA. 

A. Coinbase Leaked Its Customers’ Credentials, Ignored Addressable Security Flaws, 

and Equipped Hackers with Tools to Loot Customer Accounts 
211. The credentials necessary to log into a Coinbase account include an email address, a 
password, and “multi-factor authentication” or “two-factor authentication” (“2FA”) mechanism. 
212. Coinbase enabled and used SMS text messages as a form of 2FA for many of its 
customers’ accounts,”* including for Mr. Dellone’s account—doing so benefitted Coinbase 
financially, as Coinbase is a publicly-traded company that, in 2021, generated an overwhelming 
proportion of its multi-billion-dollar revenue from transactions fees. 
213. In the years leading up to the breach of Mr. Dellone’s account, Coinbase exposed its 
unknowing customers to profuse cyber-attack vectors, by repeatedly leaking its customers’ 
account credentials, publicly, in plain-text form. 
214. Coinbase, further, emboldened countless malicious actors—ranging from marketing 
companies to scammers and hackers—with software tools, which bad actors used, along with 
the “user credentials” Coinbase publicly disclosed, in order to target and swiftly exploit 
Coinbase’s customers while generating obscene amounts of revenue for Coinbase. 
1. Coinbase Publicly Exposed Customer “Credentials” In Plain-Text Form 

215. Between 2013 and 2023, Coinbase exposed the specific email addresses its customers 
use when logging into their Coinbase accounts. Coinbase exposed this data by negligently 
programming its webpage response forms to respond to “sign up,” “forgot email,” and/or “forgot 
password” submission requests, by indiscriminately confirming whether the email address 
submitted to Coinbase’s webpages were already being used as a customer’s Coinbase-specific 


“credential.” 


3 See Coinbase Blog, Coinbase now offers two-factor authentication, 
https://coinbase.tumblr.com/post/25677574019/coinbase-now-offers-two-factor-authentication (June 22, 2012). 
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216. Before April 2021, Coinbase knew or should have known that confirming whether an 
existing customer uses a particular email address to log into his or her Coinbase account presents 
grave and unacceptable risks to its customers, and to its customers’ privacy and property. 

217. For years, Coinbase inexcusably exposed many of its customers’ account login and 
authentication credentials, in plain-text form, publicly, in innumerable variations. 

218. Prior to April 2021, no significant barriers could have reasonably prevented Coinbase 
from fixing its faulty webpage response forms, which were leaking Coinbase user “credentials” 
from the Coinbase Platform. Coinbase’s executives, agents, Affiliates, and/or employees chose 
not to fix these leaky webpages. 

219. Before December 2021, Coinbase could have easily reprogrammed its vulnerable 
webpage forms so that the responses were consistent with commonly accepted industry 
standards, which do not confirm or expose, in plain-text form, its users’ account-specific user 
“credentials.” For instance, Coinbase could have programmed its webpages to respond with, 
“Please check your email for further instructions,” or ““We sent a text message to the phone 
number linked to that email.” 

220. Additionally, by using the same webpage response form vulnerability that would confirm 
and identify Coinbase customers’ email addresses, bad actors were also able to use the disclosed 
email addresses to request password resets for Coinbase accounts associated with those emails. 
In some instances, this allowed the bad actors to verify or confirm, directly with Coinbase, the 
final digits of the phone numbers used by Coinbase and its customers to “secure” Coinbase 
accounts associated with the email addresses leaked by Coinbase. 

221. Prior to May 2021, Coinbase knew that the email addresses it had leaked were being 
exploited to identify, confirm, and wrongfully assert control over mobile phone numbers and 
telecommunications services its customers, and Coinbase, used to secure Coinbase customers’ 
accounts. 

222. For years, the vulnerable webpage forms on Coinbase’s Platform leaked Coinbase’s 
customers’ data, including Mr. Dellone’s data, and although Coinbase had ample opportunities 


to adequately disclose and fix these webpage security bugs, and thus eliminate the exceptionally 
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dangerous attack vectors Coinbase left open on its Platform, Coinbase did not seize any of the 
opportunities it had to rectify these problems. 
223. Coinbase and its employees and agents repeatedly ignored glaring cyber-attack vectors, 
and wantonly exposed its unsuspecting and otherwise defenseless customers to easily- 
preventable risks of loss and harm, apparently for no good reason. 
224. Taking the appropriate steps to correct, or to at least account for Coinbase’s data leaks, 
would have protected many unnecessarily vulnerable Coinbase customers, including Mr. 
Dellone, from devastating losses and harms, both emotional and financial. 

2. Despite the Alarming Increase in “SIM Swap” Attacks, Coinbase Failed to Take 

Actions Necessary to Address Security Vulnerabilities on Its Platform 

225. An unauthorized SIM Swap (or “SIM Swap attack”) refers to an unlawful SIM card 
change. 
226. A SIM (or, “Subscriber Identity Module’) card is a small, removable chip that allows a 
mobile phone to communicate with the phone’s mobile carrier network. The connection between 
a mobile phone and its SIM card is made by the telecommunications carrier, which associates 
each SIM card with a physical phone’s IMEI number. The SIM card allows the “carrier” 
telecommunications company (i.e., cellular network service provider) to determine which 
subscriber’s account is associated with a particular mobile phone. 
227. SIM Swap attacks exploit SMS 2FA mechanisms by compromising a trusted connection 
(the cellular network service provider), unbeknownst to one or more parties who rely on the 
compromised connection. 
228. Mr. Dellone’s mobile phone service “carrier” was one of the major branded U.S. 
telecommunications network providers. 
229. During a SIM Swap attack, a SIM card number associated with a victim’s mobile phone 
account is switched from the victim’s phone, to a phone in the possession of a third-party (an 
attacker), thus re-routing the victim’s mobile phone service (including incoming data, texts, and 
phone calls associated with the victim’s phone) from the victim’s physical phone (still in the 


victim’s possession), to a physical phone controlled by the attacker. The attacker then receives 
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all the text messages and phone calls intended for the victim. Meanwhile, the victim’s phone 
loses its ability to connect to the carrier network. 
230. InaSIM Swap attack, once a third-party obtains control over a victim’s phone number, 
the third-party can use that control to access and take control of the victim’s online accounts by, 
for example, exploiting password reset links and 2FA codes sent via text message to the victim’s 
phone, using the victim’s phone number controlled by the third-party. 
231. Since at least 2018, Coinbase knew that “man-in-the-middle” attacks, and SIM Swap 
attacks in particular, are relatively easy to accomplish and were increasingly becoming prevalent 
in the crypto-economy. 
232. Before December 2021, Coinbase knew that SIM Swap attacks present uniquely severe 
risks of harm to its customers. 
233. In and before December 2021, Coinbase knew or should have been able to quickly 
recognize the hallmarks of a SIM Swap attack, as SIM Swap attacks affecting Coinbase 
customers were, by that point, not at all uncommon. 
234. Coinbase could have taken, but did not take reasonable steps to prevent, detect, and 
address SIM Swap activity affecting customer accounts on the Coinbase Platform. Coinbase, for 
example, did not require that Mr. Dellone use application-based (or another form) of multi-factor 
authentication, rather than SMS-based 2FA, which could have assisted Coinbase in preventing 
the harms Mr. Dellone experienced as a result of Coinbase’s data leaks and other security 
vulnerabilities. 

3. Coinbase Allows Its Users to Abuse VOIP Phone Numbers 
235. VOIP phone numbers do not connect to, or make use of, cellular telecommunications 
networks. Instead, VOIP numbers use internet connections to make voice phone calls and send 
and receive text messages from mobile device phone numbers. 
236. Unlike cellular network phone service providers, VOIP service providers issue phone 
numbers without the existence of a physical phone, which would otherwise link the phone 
numbers to physical mobile devices with IMEI numbers. 


237. VOIP services can be used with various kinds of internet-connected hardware devices, 
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such as laptop or desktop computers. 

238. VOIP numbers can be used in conjunction with VPNs to disguise the location of the 
device using the VOIP phone number. 

239. VOIP numbers can be exceptionally difficult to associate with a user’s identity, 
especially when proxy services (like VPNs) are used to intentionally disguise the geolocations 
of devices and mask the association between a device and the user’s identity. 

240. As early as 2019, Coinbase knew or should have known that bad actors use VOIP phone 
numbers to make themselves harder to track when committing unlawful acts, like, for example, 
money laundering through online financial accounts secured by SMS 2FA. 

241. Coinbase has claimed it does not allow its customers to use VOIP phone numbers on its 
Platform. See, e.g., Coinbase, Set up two-step verification — Add a Phone Number, 


https://www.coinbase.com/setup/phone (“For your security, Coinbase does not accept VOIP 


phone numbers.”’). 

242. Because Coinbase has represented that it does not allow the use of VOIP numbers with 
Coinbase customer accounts, Coinbase customers face severe cybersecurity risks when VOIP 
numbers are used by users of the Coinbase Platform. By permitting the use of VOIP numbers, 
Coinbase provided DOES 1-50 with an effective means to clandestinely exploit Coinbase’s SMS 
2FA procedures and capitalize on the attack vectors left open by Coinbase. Absent Coinbase’s 
negligence in this regard, breaching Mr. Dellone’s Coinbase account would have been more 
difficult, less enticing, and likely impossible for one or more of DOES 1-50. 

243. Coinbase negligently, carelessly, and recklessly permitted Coinbase accounts to be 
created and used with VOIP phone numbers, without implementing or enforcing reasonable 
measures for addressing the inherent risks to Coinbase customers’ assets imposed thereby. 

244. Coinbase either programmed and continued to maintain seriously flawed automated 
software systems, or instructed its employees to approve the utterly absurd requests made by 
DOES 1-50, which, in this case, changed Mr. Dellone’s email address and phone number to the 
hackers’ email address and VOIP phone number (with a Montana area code). As a result, Mr. 


Dellone’s prospects of identifying DOES 1-50 are drastically lower than they otherwise would 
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have been, had Coinbase banned the use of VOIP numbers, as Coinbase had represented it had, 
prior to the breach of Mr. Dellone’s Coinbase account. 

B. Before April 2021, Coinbase Global Knew CBI Had Failed to Address Imminent 

Cyber-Threats to Coinbase’s Customers 

245. Coinbase collected, exploited, and profited from Mr. Dellone’s sensitive personal and 
confidential data, while needlessly exposing Mr. Dellone to cyber-threats that Coinbase caused, 
ignored, deceitfully downplayed, and failed to address. 
246. Since at least 2017, Coinbase has known that bad actors, including criminal hackers, 
money launderers, and scammers, seek out and utilize leaked Coinbase customer data to obtain 
or verify consumer online account credentials and account assets. 
247. Between 2018 and 2022, Coinbase observed a dramatic increase in unauthorized 
electronic fund transfers resulting from SIM Swap attacks. This problem was well-documented 
by Coinbase users and the media.”4 
248. Between 2018 and 2022, CBI’s cybersecurity and customer data management practices 
and procedures were not reasonable for a consumer financial service provider and custodian of 
consumer digital assets and data. 
249. Since at least 2019, Coinbase Global knew or should have known that many of 
Coinbase’s customers were being targeted by criminal hackers seeking to abuse leaked Coinbase 
customer data, in order to steal cryptocurrencies on the Coinbase Platform. 
250. Before December 2021, Coinbase knew that some Coinbase users had their Coinbase 
“access tokens” compromised in a data breach.”° 
251. Coinbase’s indifference to the risks posed by SIM Swap attacks, which Coinbase foisted 
on Mr. Dellone and its other unsuspecting retail customers, contributed substantially to Mr. 
Dellone becoming, and potentially becoming a target of unsolicited and harmful online 
intrusions, including highly-specific and unwanted advertisements, online account breaches, 


4 TechCrunch, Coinbase vulnerability is a good reminder that SMS-based 2FA can wreak havoc, 
https://techcrunch.com/2017/09/18/ss7-coinbase-bitcoin-hack-2fa-vulnerable/ (published Sept. 17, 2018). 


5 See, e.g., ZDNet, Coinbase sends out breach notification letters after 6,000 accounts had cryptocurrency stolen, 
https://www.zdnet.com/article/coinbase-sends-out-breach-notification-letters-after-6000-accounts-had-funds-stolen/ 


(published October 1, 2021). 
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phishing attempts, data exfiltration, complete account takeovers, and other privacy violations 
and data and personal property losses Mr. Dellone has sustained, or which he now remains at 
persistent risk of sustaining in the future. 

252. In spite of simple, cost-effective measures readily available to Coinbase, which would 
have prevented the harms and losses Mr. Dellone has sustained, Coinbase failed to take 
reasonable steps to improve its substandard customer authentication and credential management 
practices. 

253. Despite the harms Defendants inflicted on Mr. Dellone, Coinbase’s employees or agents 
obstructed, and intentionally or negligently delayed Mr. Dellone’s investigation of his claims, 
by withholding relevant transaction and account data, thereby assisting DOES 1-50 in their 
efforts to remain anonymous. 

254. Coinbase’s cybersecurity and consumer-protection features were not provided to Mr. 
Dellone as advertised, nor were they proportional to the serious threats posed by the increasingly 
abundant SIM Swap activity on the Coinbase Platform, which Coinbase Global knew was 
directed at Coinbase customers. 

255. For months, if not for more than a year after the theft of Mr. Dellone’s crypto-assets, 
Coinbase was required to, but did not take, and has not taken, reasonable steps to remedy its 
flawed security and authentication practices, as herein alleged. 

256. Prior to and during the commission of the herein alleged theft and fraud, CBI ignored 
Mr. Dellone’s cyber-identification data, or failed to use said data to secure his Coinbase account 
and his digital assets in Coinbase’s custody. 

257. On information and belief, CBI implemented policies that prevented or discouraged its 
employees and its Affiliates from taking timely actions that would have prevented, mitigated, or 
reduced Mr. Dellone’s damages. 

258. Coinbase Global recognized thousands of dollars in unearned transaction fees from the 
fraudulent transactions Coinbase effectuated using Mr. Dellone’s Coinbase account. Those fees 
were paid using Mr. Dellone’s funds and assets; and those fees have directly benefitted Coinbase, 


and not Mr. Dellone. 
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259. For years, Coinbase has enjoyed undeserved customer loyalty resulting from its false 
representations, including, for example, its claims that it has “never lost” customer funds due to 
a breach of its Platform. Coinbase has been unjustly enriched, both financially and reputationally, 
at Mr. Dellone’s direct expense. 

C. Coinbase Emboldened DOES 1-50 by Persistently Disregarding Open Attack 

Vectors on Its Platform 

260. For nearly a decade, Coinbase failed to address various, heavily-abused weaknesses on 
its Platform, and in addition, enforced ineffective “rate limits” on log-ins attempts, transaction 
requests, and other actions on the Coinbase Platform, particularly in Coinbase’s “developer” 
environment. 
261. Absent Coinbase’s misconduct, criminal hackers and scammers could not have compiled 
lists of Coinbase account credentials and other customer-specific data (e.g., account balances) 
verified directly by Coinbase itself. 
262. On information and belief, before December 14, 2021, DOES 1-50 used data leaked by 
Coinbase to determine that Mr. Dellone’s Coinbase account was worth attempting to breach. 
263. On information and belief, at least one of DOES 1-50 submitted Mr. Dellone’s email 
address to Coinbase’s webpage, purporting to “sign up,” or “log in” to Mr. Dellone’s Coinbase 
account; Coinbase automatically responded to the request by confirming that Mr. Dellone used 
his specific email address as a Coinbase credential. 
264. On information and belief, DOES 1-50 attempted to reset the password for Mr. Dellone’s 
Coinbase account using the email address DOES 1-50 had previously verified with Coinbase; 
Coinbase responded to Doe Defendants’ requests by confirming that Mr. Dellone used SMS 2FA 
to secure his Coinbase account, and by disclosing or verifying the final digits of Mr. Dellone’s 
mobile cell phone number. 
265. On information and belief, the last two digits of Mr. Dellone’s phone number allowed 
DOES 1-50 to confirm the full phone number Mr. Dellone and Coinbase used to secure his 
Coinbase account with SMS 2FA. 


266. On information and belief, prior to breaching Mr. Dellone’s Coinbase account, DOES 1- 
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50 used Coinbase’s “developer tools” to verify Mr. Dellone’s Coinbase account data, and check 
the balance of funds stored in (or associated with) Mr. Dellone’s Coinbase account. 
267. On information and belief, after obtaining Mr. Dellone’s email address, Doe Defendants 
utilized Coinbase’s “developer tools” and ineffective rate limits to attempt to brute force Mr. 
Dellone’s Coinbase account password, and/or to engage in credential stuffing for the same 
purpose. 
268. On December 14, 2021, DOES 1-50 unsuccessfully attempted to log into Mr. Dellone’s 
Coinbase account over forty (40) different times, including from devices connected to networks 
in Russia, Belarus, and Kazakhstan, among other locations. 
269. Even with this context, when DOES 1-50 initiated the series of transactions that 
liquidated the assets in Mr. Dellone’s account, Coinbase failed to detect, and then continuously 
permitted Doe Defendants to use automated software and/or Coinbase’s developer tools to target, 
breach, and decimate Mr. Dellone’s Coinbase account. 
270. On information and belief, DOES 1-50 accomplished an unauthorized SIM Swap of Mr. 
Dellone’s cellular phone service, with the aim of gaining access to his Coinbase account. 
271. On information and belief, DOES 1-50 would not have been motivated to SIM Swap Mr. 
Dellone, had Coinbase not already confirmed or provided one or more of DOES 1-50 with Mr. 
Dellone’s email address and the final digits of his phone number, which Coinbase confirmed for 
Doe Defendants as valid “credentials” used to access the Coinbase Platform. 
272. The SIM Swap attack on Mr. Dellone’s account did not impact Coinbase’s ability to 
prevent or adequately address the financial harms Mr. Dellone sustained before, as, or after Mr. 
Dellone sustained his harms. 
273. Had Coinbase prevented users of the Coinbase Platform from using VOIP numbers, 
Coinbase could have quickly identified the source of Mr. Dellone’s account breach, simply by 
recognizing the unauthorized IMEI number, which likely would have allowed Coinbase to 
determine the location and identity of DOES 1-50. 

V. Coinbase’s User Agreement Is Unconscionable, Void, And Unenforceable 


274. Mr. Dellone and Coinbase were parties to various versions of Coinbase’s user agreement. 
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275. Mr. Dellone complied with the terms and conditions set out and implied in the various 
agreements between Mr. Dellone and Coinbase. 

276. Coinbase’s user agreement, dated December 6, 2021 (the “User Agreement’), was the 
latest during the relevant time period. The User Agreement incorporated the Coinbase Global 
Privacy Policy, dated October 8, 2021 (the “Privacy Policy’), and Coinbase’s Cookie Policy, 
dated October 1, 2021 (the “Cookie Policy”). The User Agreement, Privacy Policy, and Cookie 
Policy are attached to this Complaint as “Exhibit A”, 

277. The User Agreement was a “clickwrap agreement” (or “browsewrap agreement’), 
drafted by Coinbase, which Coinbase presented to Mr. Dellone on a “take it or leave it” basis. 
278. Although the User Agreement contains an arbitration provision, there are several 
cumbersome conditions precedent to seeking arbitration, which Coinbase customers must satisfy 
before seeking to arbitrate their disputes with Coinbase. These conditions are inextricable from 
the User Agreement’s “delegation clause,” which, as further alleged below, unfairly benefits 
Coinbase and harms Mr. Dellone. 

279. Coinbase has always been aware that time is of the essence in responding to cyber-attacks 
on the Coinbase Platform. 

280. According to the User Agreement, in the event a “dispute” arises between Mr. Dellone 
and Coinbase, Mr. Dellone (the customer) must first attempt to resolve his dispute with 
Coinbase’s “support team’; only if Coinbase’s support team fails to resolve the dispute, can Mr. 
Dellone then initiate Coinbase’s so-called “Formal Complaint Process” (“FCP”), which is 
described in the User Agreement. 

281. Per the User Agreement, Coinbase has a self-imposed obligation to resolve customer 
disputes raised through the FCP, by no later than 35 days after the customer initiates the FCP 
(by submitting his or her FCP complaint form). See User Agreement, §§ 8.2.1, 8.2.2, Exhibit A. 
282. According to the User Agreement, Mr. Dellone may exercise his right to demand 
arbitration, only if he completes Coinbase’s time-consuming and one-sided FCP. 

283. The User Agreement’s delegation clause delegates decisions concerning the arbitrability 


of disputes between Mr. Dellone and Coinbase, to Coinbase. 
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284. The delegation clause requires that Coinbase customers delay their demands to arbitrate 
potential claims against Coinbase until the conclusion of the FCP, which, subject to Coinbase’s 
sole discretion, can leave its customers waiting for a resolution for well over a month after a 
dispute first arises, as was the case here. 

285. Unlike Coinbase’s customers, Coinbase benefits from the FCP because Coinbase is not 
subject to any burdensome pre-arbitration processes or conditions precedent to demanding 
arbitration against Mr. Dellone. 

286. Along with the other pre-FCP waiting periods (e.g., attempting to resolve “disputes” with 
Coinbase’s “support team’) and the myriad formal and informal barriers Coinbase set in front 
Mr. Dellone (e.g., locking Mr. Dellone out of his account; demanding that Mr. Dellone retmburse 
Coinbase), the waiting period imposed by the FCP is beneficial to Coinbase, convenient for 
DOES 1-50, and severely prejudicial to Mr. Dellone and Coinbase’s other retail customers facing 
time-sensitive circumstances similar to Mr. Dellone’s. 

287. Before December 2021, Coinbase knew that its “phone agents” would not be available 
to appropriately handle support calls, including calls pertaining to urgent and important customer 
inquiries and requests, such as situations where, as here, a customer (Mr. Dellone) has timely 
reported unauthorized activity on his Coinbase account and is attempting to verify his identity 
and protect his assets from irrevocable loss.”° 

288. The unavailability of qualified, adequately-trained Coinbase phone agents and 
employees significantly delayed Mr. Dellone’s initiation of the FCP by further delaying the 
preconditional “support team” phase of the “dispute resolution” process, which he, as a Coinbase 
customer, was required to complete prior to initiating the FCP (the FCP, itself, then being another 
up-to-35-day process). 

289. When Coinbase presented Mr. Dellone with the User Agreement, Coinbase knew or 


26 Compare, Coinbase, How Can I Contact Coinbase Support?, https://help.coinbase.com/en/coinbase/getting- 
started/other/how-can-i-contact-coinbase-support (“Please be aware that we currently do not offer any phone 
support with a live agent” (emphasis in original), with https://help.coinbase.com/en/coinbase/privacy-and- 
security/account-compromised/my-account-was-compromised (“Call Coinbase Support to lock your account 
yourself using our automated system or to get help from a live agent”) (emphasis added), and (“Speak directly to 
someone on our support team to get answers about your account, crypto purchases, or payments.”) (emphasis 
added). 
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should have known that Coinbase did not have adequate staffing, and did not have in place the 
appropriate policies, practices, or procedures necessary for Coinbase to comply with the pre- 
arbitration dispute resolution process Coinbase itself had devised. 

290. Coinbase entered into the User Agreement knowing that, should Mr. Dellone ever initiate 
the FCP, Coinbase would likely breach, or become in breach, of its obligations under the terms 
of the User Agreement. Coinbase, for example, knew that its employees, representatives, and 
agents responsible for responding to its customers’ “support tickets” were ill-equipped, 
underprepared, or completely incapable of timely responding to the urgent issues Mr. Dellone 
subsequently raised in his FCP complaint. 

291. The pre-arbitration dispute resolution process is incorporated into and has served as a 
prerequisite for Coinbase customers to invoke their contractual rights, as set out in the 
“arbitration agreement” of the User Agreement. 

292. On numerous occasions between October 2013 and December 2021, Coinbase 
misrepresented its ability to comply with its own arbitration procedures, and Coinbase therefore 
fraudulently induced Mr. Dellone to accept and comply with the FCP, knowing that the FCP and 
Coinbase’s own unscrupulous antics would unfairly prejudice Mr. Dellone’s prospects of 
recovering his stolen assets. 

293. The User Agreement is grossly unfair because the delegation clause specifies that 
Coinbase customers, but not Coinbase, must wait up to 35 days before demanding arbitration— 
but whether arbitration is, in fact, appropriate (e.g., whether the preconditions have been 
satisfied) is a determination Coinbase has reserved exclusively for Coinbase, per the User 
Agreement. 

294. The User Agreement is unconscionable and unenforceable because the obligations to 
initiate and engage in futile correspondence with Coinbase’s “support team,” submit “ID Selfies” 
through third-party online portals, and comply with the one-sided “arbitration” provision and 
unconscionable “delegation” clause set out in the User Agreement, apply only to claims Mr. 
Dellone has or would initiate against Coinbase. Coinbase, on the other hand, is subject to no such 


obstacles or conditions precedent with respect to claims it might initiate against Mr. Dellone. 
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295. Coinbase has never been limited by the User Agreement with respect to its ability to 
pursue claims against Mr. Dellone, by whatever means Coinbase deems necessary. For instance, 
when Coinbase disputed its liability for the unauthorized Bitcoin purchases made using Mr. 
Dellone’s bank account (which were reversed by Mr. Dellone’s bank), Coinbase resolved its 
“dispute”—not by demanding arbitration—but by simply exploiting Coinbase’s unilateral ability 
to prevent Mr. Dellone from regaining access to his Coinbase account, pending his remittance 
of the alleged reimbursement amounts Coinbase has demanded from him. Mr. Dellone never 
paid Coinbase the bogus reimbursement amounts Coinbase claimed he owes, and thus, Coinbase 
never restored Plaintiff's account access. 
296. On March 11, 2022, after completing the conditions precedent to initiating the FCP, Mr. 
Dellone completed and submitted the FCP complaint form, thereby initiating the FCP. 
297. Coinbase failed to engage in the FCP and the dispute resolution process in good faith. 
298. Coinbase did not respond to Mr. Dellone’s FCP complaint form by May 2, 2022, over 35 
days after Mr. Dellone sent his complaint form to Coinbase. 
eT 
FIRST CLAIM FOR RELIEF 
VIOLATION OF THE ELECTRONIC FUND TRANSFER ACT (“EFTA”), 15 U.S.C. 
SECTION 1693 ET SEQ. (AGAINST COINBASE 
299. Plaintiff realleges and incorporates each of the above paragraphs 1 — 298, as though fully 
set forth in this cause of action. 
300. The actions and omissions of Coinbase, as alleged herein, violate obligations imposed by 
the Electronic Fund Transfer Act, 15 U.S.C. §§1693 et seg. (“EFTA”) and Regulation E, 
including, 12 C.F.R. § 1005.7. 
301. Coinbase provides users with hosted “Digital Currency” wallets for holding “Digital 
Currencies,” and a hosted U.S. Dollars wallet for holding U.S. Dollar-denominated obligations. 
302. Coinbase is a “financial institution” as defined by the EFTA because it is a corporation 
that holds accounts belonging to consumers, including Plaintiff's Coinbase account and digital 


Coinbase-issued wallets. 
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303. Plaintiff is a “consumer” as defined by the EFTA because he is a natural person. 

304. Plaintiff's Coinbase account is an “account” as defined by the EFTA and/or Regulation 
E because it is an asset account held directly by Coinbase and established primarily for personal, 
family, or household purposes. 

305. Plaintiff and Coinbase established Plaintiff's Coinbase account, and Plaintiff used his 
Coinbase account for personal purposes and not for business purposes. 

306. The primary purpose of the unauthorized transfers alleged herein was not the purchase 
or sale of securities or commodities, but rather for the purpose of stealing or laundering securities 
or commodities. 


‘ 


307. The electronic fund transfers at issue were each an “unauthorized electronic fund 
transfer” because they were initiated by a person other than Plaintiff, by fraud, without actual 
authority to initiate those transfers, and from which Plaintiff has received no benefit. 

308. According to 15 U.S.C § 1693c and Regulation E, 12 C.F.R. § 1005.7, all financial 
institutions are required to make the disclosures set forth in § 1005.7(b), before the first electronic 
fund transfer is made involving a consumer’s account. 

309. Coinbase was required to take steps to monitor Plaintiff's account for fraudulent and 
unauthorized transfers. 

310. Coinbase has violated Regulation E by failing to provide appropriate initial disclosures 
to Plaintiff, including: (i) a summary of Plaintiff’s liability under 12 CFR § 1005.6 or under state 
or other applicable law or agreement, for the unauthorized electronic fund transfers; (ii) the 
telephone number and address of the person or office to be notified when Plaintiff believes that 
an unauthorized electronic fund transfer has been or may have been made; and (iii) Coinbase’s 
business days. 

311. Coinbase has also violated Regulation E by failing to provide adequate disclosures to 
Plaintiff concerning: (iv) the type of electronic fund transfers that Plaintiff may make, and any 
limitations on the frequency and dollar amount of transfers; and (v) any fees imposed by 
Coinbase for electronic fund transfers, or for the right to make such transfers. 


312. Coinbase has also violated Regulation E by failing to provide Plaintiff: (vi) a summary 
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of Plaintiff's right to receipts and periodic statements, as provided in 12 CFR § 1005.9, and 
notices regarding preauthorized transfers as provided in 12 CFR § 1005.10(a) and (d); (vii) a 
summary of Plaintiffs right to stop payment of a preauthorized electronic fund transfer and the 
procedure for placing a stop-payment order, as provided in 12 CFR § 1005.10(c); and (viii) a 
summary of Coinbase’s liability to Plaintiff under section 910 of the Act for failure to make or 
to stop certain transfers. 

313. Coinbase has also violated Regulation E by failing to provide Plaintiff: (ix) a notice that 
is substantially similar to Model Form A-3 as set out in appendix A of 12 CFR 1005.1, et seq., 
concerning error resolution; and (x) a notice that a fee may be imposed by an automated teller 
machine operator (as defined in 12 CFR § 1005.16(a)), when a Plaintiff initiates an electronic 
fund transfer or makes a balance inquiry, and by any network used to complete the transaction. 
314. Coinbase failed to undertake its responsibilities to remedy the unauthorized electronic 
fund transfers under the EFTA and Regulation E by failing to timely credit and/or provisionally 
recredit Plaintiff's Coinbase account pending Coinbase’s investigation. 

315. Coinbase users have repeatedly implored Coinbase to help them rectify unauthorized 
transfers related to SIM Swap attacks involving customer accounts on the Coinbase Platform; 
Coinbase has consistently ignored its customers’ requests, and instead, has relied on automated 
responses that frequently fail to address Coinbase users’ concerns. 

316. For many months, and continuing today, Coinbase has turned a blind eye to multiple 
systemic security issues affecting customer accounts on its Platform, which has directly harmed 
Coinbase customers, including Plaintiff, and has further advanced the false notion that victimized 
customers are without any legitimate recourse to ever see those issues corrected. 

317. Before Coinbase participated in the fraudulent transfers of Plaintiff's funds and assets, 
Coinbase knew or should have known of the repeated breaches of its Platform, and of the illicit 
exploitations of its software tools. 

318. Coinbase was or should have been aware of, but was not prepared to handle, time- 
sensitive inquiries concerning unauthorized electronic fund transfers on its customers’ accounts. 


319. Coinbase failed to provide its customers, including Plaintiff, with timely, appropriate 
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customer support, and the requisite disclosures, notices, and information, as required by the 
EFTA and Regulation E. 

320. Plaintiff has provided Coinbase timely actual and/or constructive notice of the 
unauthorized electronic transfers on his Coinbase account and affecting his bank account and 
Crypto Wallets. 

321. Coinbase has never provided Plaintiff with disclosures compliant with 12 C.F.R. § 
1005.7(b). Therefore, under 15 U.S.C. § 1693g and/or 12 C.F.R. § 1005.6, Plaintiff has no 
liability for the unauthorized electronic fund transfers. 

322. Coinbase failed to timely and in good faith investigate the unauthorized electronic fund 
transfers from Plaintiff's Coinbase account, as required by 15 U.S.C. § 1693f(a)(3) and 15 U.S.C. 
§ 1693f(d), when Coinbase failed to conduct a timely and reasonable review of its own records 
as, or when the first twenty-two (22) unauthorized transactions on Plaintiff's Coinbase account 
occurred, and as or when the 2.05 BTC was transferred from Plaintiff's BTC Wallet hosted on 
the Coinbase Platform, to the Doe Defendants’ off-Platform BTC Wallet. See 12 C.F.R. § 
205.11(c)(4); see also Supp. I to § 205 at 11(c)(4)-S. 

323. Adequate and timely investigations would have led Coinbase to the conclusion that fraud 
was occurring and had occurred on Plaintiff's Coinbase account, given that Plaintiff had not 
authorized the transfers at issue, and considering that these kinds of fraudulent transfers were 
previously and widely reported by other Coinbase users who had experienced SIM Swap attacks. 
324. Plaintiff is entitled to compensatory damages, attorneys’ fees, and costs for Coinbase’s 
inadequate investigation, pursuant to 15 U.S.C. § 1693m(a). 

325. Because Coinbase has failed to timely correct the “errors” (statutorily defined to include 
“unauthorized electronic fund transfers”) on Plaintiff's account, by failing to timely credit or 
provisionally recredit Plaintiff's account after Plaintiff's account had been breached and drained 
of funds (see 15 U.S. Code § 1693f(b)-(c)), this failure, separately, results in compensatory 
damages owed to Plaintiff, pursuant to 15 U.S.C. § 1693m(a). 

326. Because Coinbase has failed to conduct timely, good faith investigations into the 


fraudulent transactions that Plaintiff actually or constructively reported to Coinbase, and has, as 
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a result, failed to provide Plaintiff reasonable and effective notice based on any such reasonable, 
good faith investigation of the unauthorized electronic fund transfers, Coinbase is liable for treble 
damages under the EFTA. 

327. Coinbase has failed to use the resources and procedures needed to timely resolve the 
fraud that occurred on Plaintiff's Coinbase account, thus demonstrating Coinbase’s persistent 
inability or unwillingness to timely form a reasonable basis for believing Plaintiffs account was 
not in “error.” 

328. To the extent Coinbase has concluded that Plaintiff's account was not in “error,” 
Coinbase has knowingly and willfully reached that conclusion when that conclusion could not 
reasonably have been drawn from the evidence available to Coinbase at the time of any 
investigation conducted by Coinbase. 

329. Plaintiff is entitled to compensatory damages, attorneys’ fees, and costs under 15 U.S.C. 
§ 1693m, as well as treble damages under 15 U.S.C. § 1693f(e). 

330. Coinbase is liable for treble damages under the EFTA because it has not had any 
reasonable basis for believing Plaintiff's account was not in “error.” 


SECOND CLAIM FOR RELIEF 


COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030) (“(CFAA”) (AGAINST ALL 


DEFENDANTS) 
331. Plaintiff realleges and incorporates each of the above paragraphs 1 — 330, as though fully 


set forth in this cause of action. 

332. Plaintiff's mobile device is capable of connecting to the Internet. 

333. Plaintiff's BTC and BSV Wallets are capable of connecting to the Bitcoin network. 
334. Defendants intentionally accessed Plaintiff's BTC and BSV Wallets, without Plaintiff's 
authorization, in order to assist or benefit from the theft, exchange, or sale of Plaintiff's 
valuable digital assets. 

335. Defendants intentionally accessed Plaintiff's mobile device without Plaintiffs 
authorization, in order to assist or benefit from the theft, exchange, or sale of Plaintiff's 


valuable digital assets. 
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336. Defendants, including their agents and employees, took these actions knowing that they 
would cause damage to Plaintiff's mobile device, as well as damage to the information located 
on his mobile device. 
337. Defendants, including their agents and employees, took these actions knowing that they 
would cause damage to Plaintiff's BTC and BSV Wallets, as well as damage to the 
cryptocurrencies in those Wallets. 
338. Defendants caused Plaintiff's mobile device and certain valuable data on it, specifically 
text messages sent to his device by or because of Coinbase, to be unusable to him. 
339. Defendants caused Plaintiff's BTC and BSV Wallets and certain valuable assets in 
them, specifically bitcoins and BSV, to be unusable to him. 
340. Asa direct and proximate result of the Defendants’ actions, Plaintiff has suffered 
damage to his mobile device, and damage to or loss of information on his mobile device, which 
Plaintiff was unable to access for critical period of time. 
341. Asadirect and proximate result of the Defendants’ actions, Plaintiff has suffered 
damage to his BTC and BSV Wallets, and damage to or loss of cryptocurrencies, which 
Plaintiff has been unable to access for over a year. 
342. The act of performing an unauthorized SIM Swap of Plaintiff’s mobile SIM card was in 
the scope of work for the employees and agents of DOES 1-50. 
343. The act of authorizing access devices associated with Coinbase customer accounts was 
in the scope of work for the employees and agents of Coinbase. 
344. Plaintiff spent approximately $5,000 investigating who accessed and/or damaged, 
interfered with, or wrongfully used Plaintiff's mobile device and/or damaged information on it; 
as well as who accessed and/or damaged, interfered with, or wrongfully used Plaintiff's BTC 
and BSV Wallets and/or damaged the assets in them. 
THIRD CLAIM FOR RELIEF 
VIOLATIONS OF CALIFORNIA CONSUMER PRIVACY ACT OF 2018 (““CCPA”) — 
CAL. CIV. CODE §§ 1798.100 ET SEQ. (AGAINST COINBASE AND DOES 1 - 10 


345. Plaintiff realleges and incorporates each of the above paragraphs 1 — 344, as though fully 
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set forth in this cause of action. 

346. Civil Code section 1798.150, subdivision (a)(1), provides, 
Any consumer whose nonencrypted and nonredacted personal information is subject to 
an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s 
violation of the duty to implement and maintain reasonable security procedures and 
practices appropriate to the nature of the information to protect the personal information 
may institute a civil action for any of the following: [(i) statutory damages or actual 
damages, whichever is greater; (ii) injunctive or declaratory relief; and (iii) any other 
relief the court deems proper. | 

See Cal. Civ. Code. §1798.150. 

347. Plaintiff is a “consumer” within the meaning of Cal. Civ. Code § 1798.140(g). 

348. Defendants are “businesses” within the meaning of Cal. Civ. Code § 1798. 140(0). 

349. Plaintiff has provided Coinbase and DOES 1-10 “personal information” within the 

meaning of Cal. Civ. Code § 1798. 140(V). 

350. From 2013 to the present, Defendants were aware of the confidential and sensitive nature 

of the personal and financial information Plaintiff provided Defendants. 

351. Defendants violated Cal. Civ. Code §§ 1798.100 et seg. (“CCPA”) by subjecting 

Plaintiff's nonencrypted personal and sensitive information to unauthorized access, exfiltration, 

theft, and disclosure as a result of Defendants’ violations of their duties to implement and 

maintain security procedures and practices appropriate for the nature and sensitivity of that 

information, in violation of Cal. Civ. Code § 1798.150(a). 

352. Plaintiff has suffered injuries stemming from Defendants’ loss and unauthorized 

exposure of Plaintiff's valuable and confidential digital assets, including: (i) the lost or 

diminished value of his digital identification data—for instance, whereas legitimate buyers of 

digital consumer data compensate consumers with contracted-for services in exchange for 

personal information, now, as a result of Defendants’ disclosures of Plaintiff's data to 

unauthorized individuals and companies, third-parties (including marketing companies, 


salespeople, scammers, and hackers) can now obtain this information for free; (ii) out-of-pocket 
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expenses associated with the prevention, detection, and recovery from potential identity theft, 
tax fraud, and unauthorized use of Plaintiffs PII; (iii) lost opportunity costs associated with 
efforts expended, and Plaintiff's loss of productivity in attempting to mitigate the consequences 
of Defendants’ actions and omissions, including but not limited to Plaintiff's lost time, at an 
estimated average loss of $125 per hour in lost labor hours, which he has spent and will spend 
mitigating his potential and realized losses; as well as restoring the ability to log into and 
completely recover his Coinbase account; dealing with impersonation activities, including 
phishing emails; reviewing his credit reports; scrutinizing his financial information; detecting 
identity theft; and changing his passwords; (iv) continued risks to Plaintiffs PII, to the extent it 
is still in Defendants’ respective possessions and subject to further unauthorized disclosures, for 
as long Defendants fail to protect his PI; and (v) future costs in terms of loss of time, effort, and 
money that will be expended to monitor, prevent, detect, contest, and repair the impact of the 
cyber-identification data compromised and altered as a result of Defendants’ actions and 
omissions, for the remainder of Plaintiff's life. 

353. Pursuant to Cal. Civ. Code § 1798.150(b), prior to the filing of this Complaint, on April 
20, 2023, counsel for Plaintiff served Coinbase with notice of the alleged CCPA violations by 
certified mail, return receipt requested, and by email. See Notice of CCPA Violations, copy 
attached hereto as “Exhibit C” (without attachments; with copy of return receipt attached). 
Coinbase has not responded. 

354. Cures to Coinbase’s violations are possible. Coinbase has failed to cure these violations, 
or if it has, Coinbase has failed to provide Plaintiff with an express written statement that the 
violations have been cured. 

355. Plaintiff is entitled to actual, punitive, and statutory damages, disgorgement, restitution, 
and other relief available under Cal. Civ. Code § 1798.150(a). 

356. Plaintiff seeks injunctive relief in the form of an order enjoining Coinbase from 
continuing to violate the CCPA because, unless and until Coinbase is restrained by order of this 
Court, Coinbase will continue causing injuries, including irreprable harm to Plaintiff and to other 


similarly situated Coinbase customers. 
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FOURTH CLAIM FOR RELIEF 

VIOLATIONS OF CALIFORNIA’S SHINE THE LIGHT LAW — CAL. CIV. CODE §§ 

1798.83 ET SEQ. (AGAINST COINBASE 
357. Plaintiff realleges and incorporates each of the above paragraphs 1 — 356, as though fully 
set forth in this cause of action. 
358. Plaintiff is a “customer” of Coinbase, as defined by Cal. Civ. Code § 1798.83(e)(1). 
359. Plaintiff and Coinbase were engaged in an ongoing “established business relationship,” 
as defined by Cal. Civ. Code § 1798.83(e)(5). 
360. Coinbase did not provide the legally required privacy disclosures to Mr. Dellone pursuant 
to Cal. Civ. Code § 1798.83(b)(1). 
361. Plaintiff requested his account data from Coinbase in January 2022, February 2022, and 
April 2023, and on each occasion Coinbase failed to provide him with complete, accurate, and 
timely disclosures in response to Plaintiff's account data disclosure requests, in violation of Cal. 
Civ. Code § 1798.83(a). 
362. Plaintiff's personal information has monetary value and can be sold for a profit or 
exchanged for services. 
363. Coinbase’s failure to comply with Cal. Civ. Code § 1798.83(b)(1) diluted the value of 
Plaintiff’s personal information. 
364. Because Coinbase has deprived Mr. Dellone of the opportunity to sell his personal 
information for financial or personal gain in the future, Plaintiff has not received the full value 
of the services for which he paid Coinbase. 
365. Coinbase’s failure to comply with Cal. Civ. Code § 1798.83(b)(1) prevented Plaintiff 
from mitigating his ongoing injuries caused by the breaches of his Coinbase account. 
366. Coinbase’s failure to provide the proper section 1798.83(b)(1) disclosures has deprived 
Plaintiff of value, and caused him economic harm. Plaintiff has sustained, and continues to 
sustain monetary injuries as a direct and proximate cause of Coinbase’s violations. 
367. Plaintiff is entitled to civil penalties pursuant to Cal. Civ. Code § 1798.84(c). 


368. Plaintiff requests that this Court enjoin Coinbase’s unlawful conduct, including 
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Coinbase’s ongoing exploitation of Plaintiff's data and information, in all forms, pursuant to Cal. 
Civ. Code § 1798.84(e). 
FIFTH CLAIM FOR RELIEF 


VIOLATION OF CALIFORNIA PENAL CODE § 496 (AGAINST COINBASE 


369. Plaintiff realleges and incorporates each of the above paragraphs 1 — 368, as though fully 
set forth in this cause of action. 
370. California Penal Code § 496(a) prohibits any person from buying or receiving “any 
property that has been stolen or that has been obtained in any manner constituting theft or 
extortion, knowing the property to be so stolen or obtained, or who conceals, sells, withholds, or 
aids in concealing, selling, or withholding any property from the owner, knowing the property 
to be so stolen or obtained.” 
371. Coinbase is a “person,” as that term is used in Cal. Pen. Code § 496. 
372. Coinbase violated California Penal Code § 496 by obtaining personal property (crypto- 
assets and digital U.S. Dollar-denominated financial obligations), belonging to Plaintiff, by theft, 
and by knowingly withholding said property from Plaintiff. 
373. Coinbase violated California Penal Code § 496 by aiding in obtaining and withholding 
the crypto-assets and “digital dollars” belonging to Plaintiff, which Coinbase knew to be stolen. 
374. Plaintiff has been injured by Coinbase’s violation of California Penal Code § 496. 
375. Pursuant to California Penal Code § 496(c), Plaintiff is entitled to three times the amount 
of his actual damages, to be proven at trial, but in any event, in an amount not less than $303,000, 
plus cost of suit, and reasonable attorneys’ fees. 
SIXTH CLAIM FOR RELIEF 

CONVERSION (AGAINST ALL DEFENDANTS) 
376. Plaintiff realleges and incorporates each of the above paragraphs 1 — 375, as though fully 
set forth in this cause of action. 


999 


377. In California, “ ‘ “[c]onversion is a strict liability tort,” ’ .... Financial institutions can 
be liable to their depositors for transferring money out of their accounts on forged instruments.” 
Fong v. East West Bank, 19 Cal.App.5th 224, 235 (2018) (internal citation omitted). 
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378. Plaintiff owns and has the right to possess the private key(s) for the Bitcoin Wallet(s) 
hosted by Coinbase for Mr. Dellone, which were or are associated with 2.05698427 bitcoins 
formerly in Mr. Dellone’s Coinbase account. 
379. The private key(s) and Bitcoin Wallets, and/or the 2.05698427 BTC stolen from Plaintiff, 
have measurable valuable. 
380. Defendants were not authorized to obtain, retain, or exercise control, dominion, or 
ownership over Plaintiff's bitcoins. 
381. Defendants knowingly obtained, retained, and exercised control and dominion over 
Plaintiff's 2.05 bitcoins, to Plaintiff’s exclusion. 
382. Defendants intended to permanently deprive Plaintiff of his 2.05 bitcoins. 
383. Plaintiff has been deprived of the possession and use of his crypto-assets, digital dollars, 
fiat currency-denominated financial instruments, and the 2.05 BTC representing the sum of those 
assets, since December 14, 2021. 
384. Plaintiff has demanded the return of his bitcoins from Coinbase. 
385. Plaintiff will demand the return of his bitcoins from the appropriate DOES 1-50 when he 
learns their true identities, or as soon as otherwise practicable. 
386. Plaintiff has suffered actual injury and damages of compensable value stemming from 
the conversion of his digital assets and 2.05 BTC, in an amount to be proved at time of trial. 
SEVENTH CLAIM FOR RELIEF 

TRESPASS TO CHATTELS (AGAINST DOES 1-50) 
387. Plaintiff realleges and incorporates each of the above paragraphs 1 — 386, as though fully 
set forth in this cause of action. 
388. On December 14, 2021, DOES 1-50 deprived Plaintiff of the use of his mobile phone for 
several hours. 
389. Plaintiff's mobile phone was in his possession when Defendants intentionally interfered 
with the physical condition of his phone, and with Plaintiff's use of it. 
390. Defendants interfered with Plaintiffs rights to his personal property by depriving him of 


his use of his mobile phone, without his permission. 
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391. Plaintiff did not consent to Defendants’ interference with his use of his mobile phone. 
392. Plaintiff was harmed by Defendants’ interference with his use of his mobile phone. 
393. Defendants’ interference with Plaintiff's mobile phone and cellular service were 
substantial factors resulting in Plaintiffs harms. 
394. Asaproximate and legal result of Defendants’ interference with Plaintiff's property and 
his use of it, Plaintiff has been damaged in an amount according to proof at time of trial. 
395. Defendants’ respective trespasses to Plaintiff's personal property were each oppressive, 
fraudulent, or malicious. Accordingly, Defendants are subject to exemplary damages, in favor 
of Plaintiff. 
EIGHTH CLAIM FOR RELIEF 

TRESPASS TO CHATTELS (AGAINST COINBASE) 
396. Plaintiff realleges and incorporates each of the above paragraphs 1 — 395, as though fully 
set forth in this cause of action. 
397. Plaintiff owned and had a right to possess the crypto-assets associated with his Coinbase 
account, which Defendants converted into Bitcoin on December 14, 2021. 
398. Plaintiff owned and had a right to possess the “Digital Currencies,” U.S. Dollars, and 
“USD Coin” in his Coinbase-issued wallets, which Defendants converted to BTC on December 
14, 2021. 
399. Coinbase interfered with the physical condition of Plaintiffs crypto-assets, and with his 
possession of his private keys or Crypto Wallets, by exchanging his crypto-assets for “digital 
dollars,” without Plaintiff's knowledge or express permission. 
400. Coinbase intentionally interfered with the physical condition of Plaintiff's U.S. Dollars 
and USDC, and his possession of those assets, by exchanging those assets for Bitcoin without 
Plaintiff's knowledge or express permission. 
401. Plaintiff was harmed by Coinbase’s interferences with his crypto-assets, U.S. Dollars, 
and USDC, and Coinbase’s conversion of those assets to Bitcoin was a substantial factor in 
causing Plaintiffs harms. 


402. Plaintiff did not consent to Coinbase’s interference with his possession and use of 
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$17,100 in “digital dollars,” or with any of the crypto-assets or Wallets he had stored on the 
Coinbase Platform. 
403. Plaintiff has been deprived of his possession and his use of his digital dollars and his 
valuable and priceless crypto-assets for more than a year. 
404. Coinbase’s conduct has prevented Plaintiff from exercising dominion and ownership 
over his personal property by interfering with his ability to move his funds and assets off the 
Coinbase Platform to a more secure location. 
405. Coinbase’s conduct was a substantial factor in causing Plaintiff's losses, irreparable 
harms, and the injuries sustained by Plaintiff. 
406. As a proximate and legal result of Coinbase’s wrongful interferences, Plaintiff has 
suffered personal property damages and losses exceeding $101,000. 
NINTH CLAIM FOR RELIEF 

NEGLIGENCE (AGAINST COINBASE) 
407. Plaintiff realleges and incorporates each of the above paragraphs 1 — 406, as though fully 
set forth in this cause of action. 
408. Coinbase owed a duty to Plaintiff to exercise reasonable care in safeguarding his 
sensitive personal information. This duty included designing, maintaining, monitoring, and 
testing Coinbase’s, and its agents’, partners’, Affiliates’, and independent contractors’ systems, 
protocols, or practices (as applicable), in order to help safeguard Plaintiffs digital assets and 
prevent unauthorized transfers on and from the Coinbase Platform. 
409. Coinbase’s duties arose from the sensitivity of Plaintiff's Coinbase account data and the 
foreseeability of harms to Plaintiff should Coinbase fail to safeguard and protect his data. 
410. Coinbase owed a duty to Plaintiff to take reasonable steps to protect his sensitive 
customer account information from unauthorized use, access, and disclosure. 
411. Coinbase had a duty to ensure that Plaintiff's personally identifiable information (PII) 
was only used, accessed, and disclosed with Plaintiff's proper authorized consent. 
412. Coinbase had a duty to Plaintiff to implement a security system reasonably designed to 


prevent and detect unauthorized transfers from Plaintiff's Coinbase account, in a reasonably 
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timely manner, as Coinbase had represented it would, and as was required of Coinbase by the 
Bank Secrecy Act. 

413. Coinbase owed a duty to Plaintiff to disclose the material fact that its data security 
practices were inadequate to prevent Plaintiff's Coinbase account information from being 
improperly accessed and exfiltrated by unauthorized third-parties, and from misuse and 
misappropriation of his PII resulting from unauthorized access by Coinbase’s employees, agents, 
Affiliates, and individuals and computer programs subject to Coinbase’s control. 

414. Coinbase owed Plaintiff a duty to adequately disclose its inability to prevent Plaintiffs 
confidential account information from unauthorized dissemination, as of, and after December 
14, 2021. 

415. Coinbase owed a duty to Plaintiff to exercise due care in designing a reasonably secure 
website and Platform for its customers’ use. 

416. Coinbase owed Plaintiff a duty to safeguard his Coinbase account by employing industry 
standard cybersecurity measures reasonably designed to protect his digital assets against 
unauthorized transfers. 

417. Plaintiffs willingness to contract with Coinbase and entrust his confidential and sensitive 
data to Coinbase was predicated on his reasonable belief that Coinbase would implement 
statutorily-recognized electronic fund transfer procedures and customer-authentication protocols 
required of regulated consumer financial institutions subject to FinCEN regulations. 

418. Coinbase knew or should have known, in December 2021, that its cybersecurity practices 
and customer dispute resolution policies, as then implemented, were inadequate for a financial 
technology company dealing with cryptocurrency and digital P2P financial asset exchanges. 
419. Coinbase was uniquely positioned to provide material information to Plaintiff regarding 
the features and quality of Coinbase’s cybersecurity, but Coinbase failed to do so. 

420. On December 14, 2021, Coinbase approved blatantly fraudulent financial transactions 
and plainly unauthorized account profile-change requests, and changed the email address and 
phone number associated with Plaintiff's Coinbase account, without Plaintiff's knowledge, 


consent, or permission, through no fault of Plaintiff. 
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421. Coinbase’s negligence, wanton disregard for Plaintiff's privacy and property, and 
recklessness with respect to digital asset transfers on and off its Platform, are exemplified by 
Coinbase’s failures to: (i) establish adequate user-authentication measures consistent with 
industry standards, governmental regulations, and its own promises; (ii) implement reasonable 
cybersecurity protocols consistent with industry standards, governmental regulations, and its 
own internal policies; (iii) enforce or follow Coinbase’s own purported security procedures, 
including Coinbase’s self-imposed obligation to ensure that a 2FA code is input as a condition 
precedent to executing transfers of cryptocurrencies from Mr. Dellone’s account or Wallets, to 
another person’s Coinbase account or Wallets; (iv) properly respond to, address, and monitor 
customer complaints concerning hackers and scammers targeting Coinbase users for the users’ 
personal and confidential data, despite knowing these issues were prevalent on the Coinbase 
Platform; (v) abide by its own purported security policies, which required the input of a 2FA 
code sent to a phone number connected to a physical mobile device, before executing any transfer 
of funds off the Coinbase Platform; and (vi) provide the security protections Coinbase promised, 
before executing irrevocable transfers affecting Plaintiff's Coinbase account. 

422. Coinbase, as a custodial Wallet services provider, breached its duties to Plaintiff by 
failing to: (vii) implement and maintain appropriate security procedures necessary to safeguard 
Plaintiff's Coinbase account and data, including his PII, from unauthorized access and misuse; 
(viii) detect unauthorized account breaches on its Platform in a timely manner; (ix) appropriately 
and timely disclose that Coinbase’s data security practices were inadequate to protect Plaintiff's 
assets; (x) adequately supervise its employees and software to prevent improper access to 
Plaintiff's Coinbase account or unlawful utilization of his account information and data without 
authorization or current proof of valid user identification; and (xi) provide adequate and timely 
notices of unauthorized access involving Plaintiff's Coinbase account. 

423. Coinbase breached its duty to exercise reasonable care in safeguarding Plaintiffs 
Coinbase account and the digital assets stored therein, by failing to implement reasonable 
security measures designed to prevent unauthorized SIM Swap attacks, even though such attacks 


had been widely recognized as likely to result in unauthorized transactions and losses of various 
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digital assets that Coinbase’s retail customers, including Plaintiff, entrusted to Coinbase’s 
custody. 

424. Between December 14, 2021 and December 17, 2021, Coinbase breached its duty to 
provide Plaintiff a reasonable means to contact an appropriately authorized and sufficiently 
trained Coinbase employee, representative, or agent, without undue delay. 

425. Plaintiffs harms, losses, and property damages, as well as the imminent, substantial, and 
impending harms to his mental health, online privacy, and personal property, have been directly 
and proximately caused by Coinbase’s breaches of its duties to Plaintiff. 

426. Coinbase’s derogations of its legal duties caused Plaintiff to lose his valuable personal 
information and digital assets, and his control of his Coinbase account, as well as his sensitive 
and confidential financial information and data accessible from his Coinbase account. 

427. Coinbase’s breaches of its duties to Plaintiff have resulted in reasonably foreseeable 
damages that were actually and proximately caused by Coinbase’s failures to use Plaintiff’s data 
to secure his account and assets, mitigate harms, and avoid irrecoverable losses. 

428. Plaintiff did not contribute to the insufficient measures Coinbase used to ineffectively 
safeguard his digital property and privacy rights. 

429. Plaintiff has been significantly harmed as a legal result of Coinbase’s negligent conduct. 
430. Plaintiff continues to suffer increased risks of future online account compromises and 
fraud to this day. 

431. The increased risks of future digital interferences make Plaintiff's expenditure of time 
and resources aimed at monitoring and mitigating harms to his digital and personal life 
reasonably necessary. 

432. Monitoring and mitigation tools exist that make early detection, prevention, and 
mitigation of future harms to Plaintiff possible and beneficial. 

433. Plaintiff seeks compensatory damages for the harms he sustained, and for the damages 
to his property, in an amount sufficient to compensate him for his actual harms and losses, and 
to restore him to his original position, prior to Coinbase’s unauthorized disclosure of his 


Coinbase account credentials and the breach of his Coinbase account, considering: (a) the 
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difference between the current value of his lost and damaged assets and the value of those assets 
had the harms not been done; (b) the costs of repair or restoration of his property; (c) the 
emotional and potential future harms sustained by Plaintiff; (d) Coinbase’s need for and 
development of an adequate loss mitigation and refund or reimbursement plan, consistent with 
industry standard online financial business practices, as an element of damages; and (e) the 
actual, consequential, and nominal damages flowing from Coinbase’s negligence, to the extent 
those damages are the natural and proximate result of Coinbase’ conduct as herein alleged. 
434. Plaintiffis entitled to compensatory damages, with pre-and post-judgment interest, costs 
of suit, attorneys’ fees, and other relief as this Court deems just and proper, in an amount to be 
determined at trial. 
TENTH CLAIM FOR RELIEF 

BREACH OF IMPLIED CONTRACT (AGAINST COINBASE) 
435. Plaintiff realleges and incorporates each of the above paragraphs 1 — 434, as though fully 
set forth in this cause of action. 
436. Plaintiff owned the cryptocurrencies and PII in and associated with his Coinbase account. 
437. A bailment is the delivery of a thing, to another, for some special object or purpose, on a 
contract, express or implied, to conform to objects or purposes of the delivery. The California 
Civil Code refers to bailments as “deposits,” however, case law often employs the common law 
term, “bailment,” as well as the terms “bailor” and “bailee.” A breach of bailment contract may 
be asserted by the bailor when the bailee fails to return that which was bailed. 
438. Plaintiff bailed his digital assets to Coinbase according to a bailment-for-hire agreement 
on the following terms: (i) upon Coinbase’s requests, Plaintiff provides his cyber-identification 
data, and his Personally Identifiable Information (PII), to Coinbase; (ii) Plaintiff allows Coinbase 
to use his PII and digital assets for business purposes not related to security; (iii) Coinbase 
promises to use Plaintiff's PII and data for security purposes, including to affirmatively take 
steps to prevent and reasonably delay irreversible losses of the digital assets Plaintiff bails to, or 
deposits with Coinbase. 


439. When Coinbase transferred Plaintiffs bitcoins to the off-Platform Bitcoin Wallet and 
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permitted unauthorized changes to his Coinbase account profile data, Coinbase did not exercise 
the degree of care that an ordinarily prudent bailee, or an ordinarily prudent custodial Wallet 
service provider in Coinbase’s position, would exercise with respect to its own digital assets. 
440. Plaintiff has demanded that Coinbase return his digital assets to him. Coinbase has not 
returned Plaintiff’s digital assets, or any portions thereof, to Plaintiff, nor has Coinbase allowed 
Plaintiff to access his assets (to the extent still possible), thereby breaching the terms of 
Coinbase’s and Plaintiff's implied bailment contract. 
441. Asa proximate result of Coinbase’s breach, Plaintiff has suffered economic loss in an 
amount to be proved but no less than 2.05698427 BTC, plus the reasonable or fair market value 
of all Plaintiff's data collected by Coinbase and its Affiliates as a result of the implied contract. 
ELEVENTH CLAIM FOR RELIEF 

BREACH OF GOOD FAITH AND FAIR DEALING (AGAINST COINBASE) 
442. Plaintiff realleges and incorporates each of the above paragraphs 1 — 441, as though fully 
set forth in this cause of action. 
443. In or around December 6, 2021, the Parties entered into a contract with implied 
provisions. The terms of the contract were found in Sections 5, 10, and 11 of Coinbase’s Privacy 
Policy, and Section 2.6.2 of the User Agreement. Attached hereto and incorporated herein as 
Exhibit A is a true and correct copy of the User Agreement, including Coinbase’s Privacy Policy. 
444. Coinbase stated that it collects confidential and private cyber-identification data about 
Plaintiff to recognize him and maintain information about his access devices, in order to mitigate 
risk, help prevent fraud, and promote trust and safety on the Coinbase Platform. 
445. Plaintiff agreed to provide Coinbase with his sensitive, personal, financial, and 
confidential data, including his PII, because Coinbase agreed to monitor and take reasonable 
steps secure Plaintiff's Coinbase account using the data Coinbase collected from and about 
Plaintiff, as well as take actions including but not limited to implementing effectively-enforced 
waiting periods on his Coinbase account if, or in the event that highly-suspicious account activity 
occurs on his Coinbase account. 


446. Coinbase breached its contractual obligations to Plaintiff by misusing the data it collected 
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from and about Plaintiff, and by failing to utilize said data to detect and make the proportionally- 
necessary efforts required to prevent SIM Swap attacks and related fraud on Plaintiff’s Coinbase 
account. 

447. Coinbase breached the contractual obligations it owed Plaintiff by failing to use the data 
it collected from and about Plaintiff to mitigate the harms and losses caused by reasonably 
detectable fraud on the Coinbase Platform, including fraud accomplished by exploitations of 
well-known attack vectors persistently left open for multiple years on the Coinbase Platform, 
which Coinbase was exclusively or best positioned to address and prevent. 

448. Plaintiff has performed all covenants and conditions required by the implied provisions 
of the contract, or has been excused from doing so by Coinbase’s breach. 

449. Asa proximate result of Coinbase’s breach, Plaintiff has suffered economic loss. 

450. Coinbase’s breach has resulted in damages sustained by Plaintiff in an amount exceeding 
$210,000, plus additional amounts according to proof at trial. 


TWELFTH CLAIM FOR RELIEF 


INTENTIONAL MISREPRESENTATION (AGAINST COINBASE) 


[As An Alternative To Breach Of Good Faith And Fair Dealing] 
451. Plaintiff realleges and incorporates each of the above paragraphs 1 — 450, as though fully 


set forth in this cause of action. 

452. On December 6, 2021, and at various times from October 2013 to December 14, 2021, 
Coinbase intentionally represented to Plaintiff that Coinbase would make available to Plaintiff a 
reasonable means for him to prevent, delay, and recover assets lost or adversely impacted as a 
result of Coinbase’s improper authorization and facilitation fraudulent financial transactions on 
Plaintiff's Coinbase account. 

453. Coinbase knew its representations—including those representations found in Sections 5, 
10, and 11 of Coinbase’s Privacy Policy; in Coinbase’s Cookie Policy (concerning its use of 
Flash Cookies); on Coinbase’s website (concerning its compliance with AML/KYC regulations); 
and in Coinbase’s email correspondence with Plaintiff (concerning Plaintiffs liability for 


unauthorized transactions)—were false when Coinbase made those representations. 
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454. In some instances, Coinbase made its representations, intentionally, for the purpose of 
deceiving Plaintiff, or to actively conceal information from Plaintiff, as herein alleged. 
455. To the extent Coinbase made its misrepresentations inadvertently or unintentionally, 
Coinbase did do with reckless disregard for the truth. 
456. As aresult of Plaintiffs reliance on Coinbase’s intentional misrepresentations, Plaintiff 
became exceptionally vulnerable to financially devastating cyber-attacks that were reasonably 
foreseeable to, and preventable exclusively by Coinbase. 
457. Plaintiffs reliance on Coinbase’s intentional misrepresentations was a substantial factor 
in causing Plaintiff's harms. 
458. Plaintiff was harmed by his reliance on Coinbase’s misrepresentations, in an amount to 
be proved at time of trial, but in any event, in an amount exceeding Plaintiff’s investigation fees 
and costs, attorney’s fees, and costs of this suit. 
459. Plaintiff is entitled to punitive damages under California Civil Code § 3294(a) because 
Coinbase made its representations with fraud, oppression, or malice. 
THIRTEENTH CLAIM FOR RELIEF 

GROSS NEGLIGENCE (AGAINST COINBASE) 
460. Plaintiff realleges and incorporates each of the above paragraphs 1 — 459, as though fully 
set forth in this cause of action. 
461. Coinbase owed a duty to Plaintiff, as a Coinbase customer, to provide security consistent 
with applicable laws, regulations, its own internal policies, and the promises Coinbase made to 
Plaintiff. This duty required Coinbase to ensure that its computer systems, software, and its 
personnel, are programmed or adequately trained to take actions necessary to protect the 
financial information of Coinbase’s users, and avoid assisting in unlawful exploitations of its 
customers’ data. This duty also required Coinbase to take reasonable, common-sense steps to 
ensure Plaintiff's Coinbase account profile data would not be continuously exposed to the public 
in unencrypted, plain-text form. 
462. Coinbase owed a special duty of care to Plaintiff because Plaintiff was a retail consumer 


customer of Coinbase for over eight years, and on that basis, he was a reasonably foreseeable 
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and likely target for bad actors engaged in, or seeking to carry out SIM Swap attacks using the 
data Coinbase collected and leaked to the public. 

463. Coinbase owed a special duty to Plaintiff to take reasonable steps to actively detect and 
prevent SIM Swap attacks targeting consumer financial accounts with up to $250,000 in assets 
hosted by Coinbase on the Coinbase Platform. This duty arose from Coinbase’s unique position 
as a regulated and insured consumer financial account provider and digital asset custodian. 

464. Plaintiff reasonably believed and relied upon Coinbase’s representations that Coinbase 
securely locks its customers’ accounts whenever potentially fraudulent or suspicious behavior is 
reported or detected on a Coinbase customer’s account. 

465. Plaintiff reasonably believed and relied upon Coinbase’s representations that Coinbase 
requires sufficient proof of customer identification prior to approving and facilitating critical 
account actions and irreversible transfers initiated or requested on a Coinbase customer account 
by one or more previously-unauthorized devices. 

466. Given the procession of increasingly common and consistently devastating SIM Swap 
attacks on many Coinbase customers over a period of several years, Coinbase was acutely aware 
and should have reasonably foreseen that the cyber and operational security it was providing for 
its customers between January 1, 2021 and December 14, 2021, was likely to expose Plaintiff, 
its unsuspecting and longstanding retail consumer customer, to significantly greater risk of 
becoming targeted and victimized by a SIM Swap activity. 

467. Between 2013 and 2022, Coinbase users’ accounts were subject to hundreds, if not 
thousands of unauthorized SIM Swap attacks, which Coinbase failed to prevent, and which have 
resulted in countless retail consumers losing vast amounts of valuable digital assets, including, 
as here, tens of thousands of dollars’ worth of long-term investment assets and digital 
heirlooms—notably, Plaintiff's 0.5 BTC, which Plaintiff had been saving for nearly decade, and 
which he had intended, one day (likely decades from now), to pass down to his children. This 
duty arose from Coinbase’s recognition that many of its customers use their Coinbase accounts 
to store and secure digital assets—including non-fungible assets—that, in some instances, may 


be priceless to Coinbase’s customers and/or have significant personal value, independent of the 
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fair market value of those assets. 
468. Coinbase owed a special duty to Plaintiff to actively stop and address SIM Swap attacks 
involving consumer financial accounts hosted by Coinbase on the Coinbase Platform. 
469. Coinbase recklessly destroyed eight-years’ worth of Plaintiff's hard-earned savings and 
all of his financially and sentimentally valuable crypto-assets, within a span of mere hours; then 
Coinbase insistently blamed the devastation on Plaintiff, in a repulsive and audacious effort to 
avoid all accountability for Coinbase’s own egregiously wrongful conduct. 
470. Coinbase breached its special duties of care to Plaintiff by deliberately determining that 
the economic risk of admitting any responsibility for the fraud on Plaintiff's account was not 
outweighed by the economic harm of disgorging transaction revenues it had recognized in its 
first year as a publicly-traded company. 
471. As a direct and proximate result of Coinbase’s grossly negligent conduct—including 
Coinbase’s false statements that Plaintiff owes Coinbase “reimbursement” monies to 
compensate Coinbase for its own senseless neglect and wanton misrepresentations—Plaintiff 
has suffered injury and is entitled to punitive damages, in an amount to be proved at time of trial. 
FOURTEENTH CLAIM FOR RELIEF 
CALIFORNIA CONSUMER LEGAL REMEDIES ACT (““CLRA”) — UNFAIR AND 


DECEPTIVE PRACTICES, CAL. CIV.CODE §§ 1770, ET SEQ. 


(AGAINST COINBASE) 
472. Plaintiff realleges and incorporates each of the above paragraphs 1 — 471, as though fully 


set forth in this cause of action. 

473. The California Civil Code section 1750, et seg., also known as the Consumers Legal 
Remedies Act (“CLRA”), prohibits various “unfair methods of competition and unfair or 
deceptive acts or practices undertaken by any person in a transaction intended to result or which 
results in the sale or lease of goods or services to any consumer.” 

474. Plaintiff sought and acquired services from Coinbase for his personal, family and 
household purposes. 


475. As a Coinbase customer, Plaintiff engaged in transactions with Coinbase concerning 
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services related to the security and custodianship of his private keys. 

476. Coinbase’s actions, as alleged above, either violated, or continue to violate the CLRA, 
including: section 1770(a)(5), for making representations that its services have characteristics, 
uses, or benefits which they do not; section 1770(a)(7), for making representations that its 
services are of a particular quality, which they are not; and section 1770(a)(9), for advertising 
services with intent not to sell them as advertised. Plaintiff has been harmed by, and as a direct 
consequence of Coinbase’s violations of the CLRA. 

477. Coinbase’s acts and practices were intended to result in the sale of services, including 
services involving Coinbase’s processing of valuable data Coinbase claimed to require as a 
condition precedent to facilitating transactions on Mr. Dellone’s Coinbase account. 

478. Regarding Coinbase’s use of the data it collected from and about its retail customers, 
Coinbase specifically made the following representations, in violation of section1770(a)(5): 
Coinbase claimed it used Cookies “to recognize” its customers and “to collect information about 
your [the Coinbase customer’s] computer or other access device to mitigate risk, help prevent 
fraud, and promote trust and safety.” User Agreement, Exhibit A at p. 29 (emphasis added); and 
Coinbase stated that it engages in the “monitoring of IP addresses” as part of what it believes is 
a “reasonable risk-based program” aimed at complying with Anti-Money Laundering and Know 
Your Customer regulations. 

479. In violation of section1770(a)(5), Coinbase represented that its custodial services 
included reasonable, competent customer support services, including adequately trained and 
sufficiently authorized live agents who can respond to urgent customer phone calls and take 
necessary actions involving Coinbase customer accounts. Coinbase did not, in fact, provide 
services with those characteristics and benefits. 

480. In violation of section!770(a)(7), Coinbase represented that USD Coins, which are not 
legal tender, are superior to or essentially the same as US Dollars. 

481. Coinbase also made the following statements, in violation of section!770(a)(7), which 
indicate that Coinbase’s cybersecurity was of a particular quality, which it was not: Coinbase 


claimed that no customer assets had ever been lost due to a breach of the Coinbase Platform; and 
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Coinbase represented that VOIP numbers are not allowed on the Coinbase Platform for use with 
Coinbase accounts. 

482. When Coinbase made these statements, Coinbase knew that it was collecting IP 
addresses, device IDs, and PII, and was installing Cookies, Flash Cookies, and Web Beacons on 
Plaintiffs devices, and was collecting and profiting from the resulting information, primarily for 
purposes not related to security. 

483. In violation of sectionl1770(a)(9), Coinbase advertised, without the intent to sell its 
services, as including a means by which its customers can resolve their “disputes” with Coinbase, 
including disputes concerning fraudulent financial transactions (e.g., refunded bank transactions) 
in a fair and reasonably timely manner. 

484. In violation of sectionl1770(a)(9), Coinbase advertised, without the intent to sell its 
services, as including a means by which Coinbase customers can limit their liability for 
unauthorized transactions and stolen cryptocurrencies, by timely reporting the unauthorized 
transactions to Coinbase. 

485. Coinbase’s representations concerning the safeguards it employs to protect consumer 
financial accounts, and concerning its willingness to fully participate in the dispute resolution 
processes, are likely to mislead reasonable consumers. 

486. Plaintiff seeks equitable relief, pursuant to Cal. Civ. Code § 1782(a)(2), in the form of an 
injunction prohibiting Coinbase, individually and through its agents, servants, employees, and 
all persons acting under, in concert with, or at the direction of Coinbase, from continuing to 
collect customer cyber-identification data that Coinbase does not use to help Coinbase detect 
fraud, prevent theft and money laundering, or timely address and resolve issues concerning 
foreseeable Platform breaches, including breaches of accounts hosted on the Coinbase Platform. 
487. Plaintiff seeks equitable relief, pursuant to Cal. Civ. Code § 1782(a)(2), in the form of an 
injunction prohibiting Coinbase from continuing to circulate both USD and USDC on its 
Platform simultaneously, as doing so constitutes a deceptive act or practice undertaken by 
Coinbase in transactions with its consumers, which are intended to result, and have resulted, in 


the sale or lease of goods (USDC) or services (custodial services) to Mr. Dellone (a consumer). 
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488. Plaintiff seeks equitable relief, pursuant to Cal. Civ. Code § 1782(a)(2), in the form of an 
injunction prohibiting Coinbase from continuing to allow VOIP numbers on its Platform; or in 
the form of an order instructing Coinbase to take steps reasonably necessary to account for the 
risks presented by undetected VOIP numbers used as “credentials” on its Platform. 
489. Plaintiff seeks equitable relief, pursuant to Cal. Civ. Code § 1782(a)(2), in the form of 
an injunction prohibiting Coinbase from continuing to make public statements indicating that no 
customer assets have ever been lost due to breach of the Coinbase Platform. 
490. Plaintiff requests restitution in the amount of his stolen property, plus court costs and 
attorney’s fees, punitive damages, and any other relief this Court deems just and proper in 
accordance with Cal. Civ. Code § 1780(a). 
FIFTEENTH CLAIM FOR RELIEF 
CALIFORNIA UNFAIR COMPETITION LAW (“UCL”), BUSINESS & 


PROFESSIONAL CODE § 17200 ET SEQ. — UNFAIR BUSINESS PRACTICE 


(AGAINST COINBASE) 
491. Plaintiff realleges and incorporates each of the above paragraphs 1 — 490, as though fully 


set forth in this cause of action. 

492. California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seg. (“UCL”) 
prohibits “any unlawful, unfair or fraudulent business act or practice.” 

493. A business act is “unfair” where it is immoral, unethical, oppressive, unscrupulous, 
unconscionable, and/or substantially injurious, contrary to legislatively declared public policy, 
and the harm it caused to consumers outweighed its utility. 

494. Coinbase is a “person” as defined by Cal. Bus. & Prof Code § 17200. 

495. Coinbase’s conduct, as alleged in this Complaint, was unfair under the UCL. 

496. Coinbase’s “unfair” acts and practices include Coinbase’s collection of transaction 
revenue and Coinbase’s misleading statements made to Plaintiff, despite Coinbase’s: (i) failure 
to implement and maintain security measures reasonably designed to protect Plaintiff's financial 
and cyber-identification data from consecutive and substantial unauthorized disclosures, data 


breaches, interferences, and conversions; (ii) failure to identify foreseeable cybersecurity risks, 
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namely SIM Swap attacks, and remediate data leaks and security flaws identified by Coinbase 
and Coinbase customers following numerous security incidents experienced by Coinbase, 
resulting from SIM Swap attacks; (iii) failure to implement and maintain reasonable security 
measures, contrary to legislatively-declared public policy that seeks to protect consumer data 
and ensure entities entrusted with such sensitive financial and personal information use 
appropriate, statutorily described security measures—these public policies are reflected in the 
FTC Act (15 U.S.C. § 45), the CCPA (Cal. Civ. Code §§ 1798.100 et seq.), the Bank Secrecy 
Act, (31 U.S.C. § 5311), and the California Customer Records Act (Cal. Civ. Code §§ 1798.80, 
et seq.) (which requires businesses to ensure that personal information about California residents 
is protected); and (iv) failure to implement and enforce reasonable online account breach 
response procedures that are not substantially injurious to its consumers. 

497. Coinbase’s acts, as alleged above, have caused substantial injuries to Plaintiff, and to 
similarly situated Coinbase customers, in a manner that does not outweigh any countervailing 
benefits to California consumers or emerging financial sector competition. 

498. Inthe course of conducting its business, Coinbase also engaged in “unfair” business acts 
and practices within the meaning of the UCL, by: (v) improperly and unreasonably preventing 
Plaintiff from accessing his Coinbase account and funds, either for extended periods of time or 
permanently; (vi) failing to timely respond to Plaintiff's requests for appropriate customer 
support, despite promising to do so; (vii) failing to preserve and safeguard customer funds, 
including Plaintiffs funds, as Coinbase had specifically represented it would; and (viii) refusing 
to compensate its customers, including Plaintiff, for harms caused by Coinbase’s egregious 
misconduct and for monetary losses caused by Coinbase’s own wrongful conduct. 

499. Electronic fund transfers from users’ Coinbase accounts are virtually instant on the 
Coinbase Platform; therefore, when there is an account breach on the Coinbase Platform, the 
breaching persons may obtain unfettered access to a Coinbase users’ digital assets and funds for 
as long as the customer does not receive actual or constructive notice of the breach. 

500. Coinbase did not implement a reasonable means to protect against, and provide adequate 


and timely notice of instances of unauthorized asset exfiltration relating to unnoticed and/or 
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software-assisted breaches on its Platform that can occur and had occurred while its customers 
were sleeping or otherwise physically unable to receive or respond to said breaches. 
501. Coinbase did not institute a waiting-time requirement for highly-suspicious, irreversible 
transfers of assets from or off the Coinbase Platform, even though other custodial cryptocurrency 
exchanges enforce a waiting period for such transfers. 
502. Because many consumers lack critical knowledge concerning Coinbase’s inadequate 
cybersecurity practices, consumers, including Plaintiff, have been obstructed by Coinbase from 
making reasonably informed decisions regarding how to effectively minimize risks of losing 
property and funds, and how they (customers) can take steps to address harms like those 
sustained by Plaintiff. 
503. Asaresult of Coinbase’s unfair business acts and practices, Plaintiff is entitled to relief, 
including restitution, and declaratory relief and/or a permanent injunction enjoining Coinbase 
from continuing its unfair practices, along with reasonable attorneys’ fees and costs. 
504. Plaintiff seeks equitable relief in the form of an order by this Court instructing 
Coinbase to disclose the dollar amount and the percentage (as a fraction of all revenue) of 
Coinbase’s “transaction revenue,” reported by Coinbase in the years 2021, 2022, and 2023, 
which was or may have been connected to SIM Swap attacks. 
SIXTEENTH CLAIM FOR RELIEF 
CALIFORNIA UNFAIR COMPETITION LAW (“UCL”), BUSINESS & 


PROFESSIONAL CODE § 17200 ET SEQ. — UNLAWFUL BUSINESS PRACTICE 


(AGAINST COINBASE) 
505. Plaintiff realleges and incorporates each of the above paragraphs 1 — 504, as though fully 


set forth in this cause of action. 

506. California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 (“UCL”) prohibits 
“any unlawful, unfair or fraudulent business act or practice.” 

507. A business act or practice is “unlawful” when it is proscribed by some other statute, 
regulation or constitutional provision. 


508. Coinbase is a “person” as defined by Cal. Bus. & Prof Code § 17200. 
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509. Coinbase engaged in proscribed business acts or practices that required Coinbase to 
adhere to federal and state laws, including: the FTC Act (15 U.S.C. § 45), the California 
Customer Records Act (Cal. Civ. Code §§ 1798.80, et seq.), California Penal Code § 496, the 
CCPA (Cal. Civ. Code §§ 1798.100 et seq.), the Stamp Payments Act of 1862 (18 U.S.C. § 336), 
the Bank Secrecy Act, (31 U.S.C. § 5311), and the Securities Exchange Act of 1934 (15 U.S.C. 
§ 78c). 
510. The Stamp Payments Act of 1862, 18 U.S.C. § 336, reads: 
Whoever makes, issues, circulates, or pays out any note, check, memorandum, token, or 
other obligation for a less sum than $1, intended to circulate as money or to be received 
or used in lieu of lawful money of the United States, shall be fined under this title or 
imprisoned not more than six months, or both. 
511. Coinbase makes, issues, pays out, and circulates USDC for sums less than $1.00, in 
violation of the Stamp Payments Act of 1862 (18 U.S.C. § 336). 
512. In violation of the Bank Secrecy Act, Coinbase failed to take the necessary steps to 
implement and enforce risk-based security and user-authentication measures. 
513. Coinbase had exclusive knowledge of material facts related to the fraudulent activity on 
Plaintiff's Coinbase account, and Coinbase maintains records that are highly relevant to the 
recovery of Plaintiff's property. Coinbase has withheld and prevented Plaintiff from obtaining 
pertinent, accurate, and complete records and information, for over a year. 
514. Coinbase failed to hire, train, and supervise its staff, employees, and Coinbase’s 
“Affiliates,” which has resulted in Coinbase’s violations of the CCPA (Cal. Civ. Code §§ 
1798.100 et seq.). 
515. According to Section 5(a) of the FTC Act, 15 U.S.C. §45(a), “Unfair methods of 
competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting 
commerce, are hereby declared unlawful.” 
516. Coinbase violated the FTC Act by issuing, circulating, and paying out digital currency 
deceptively branded as “U.S. Dollar Coin.” 


517. Coinbase’s circulation of “USDC,” is an unfair method affecting commerce because 
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Coinbase has tens of thousands of customers across the United States and around the world, and 
Coinbase has explicitly promoted USDC as a superior or alternative form of the U.S. dollar, 
which fundamentally challenges the integrity and value of government-backed legal tender. 
518. By failing to provide adequate notice of its failures to safeguard its customers’ 
usernames, phone numbers, email addresses, and Coinbase-account access tokens, Coinbase 
violated California’s Shine the Light Law (see Cal. Civ. Code § 1798.81.5). 
519. As a direct and proximate result of Coinbase’s unlawful business acts and practices, 
Plaintiff has suffered injury, including losses of digital dollars, crypto-assets, and other digital 
currencies, his cyber-identification data, and his confidential consumer financial information. 
520. Plaintiff seeks declaratory or injunctive relief in the form of an order by this Court 
enjoining Coinbase from continuing to issue and circulate USDC and U.S. dollars, 
simultaneously, on its Platform. 
521. Under Federal Rule of Civil Procedure 23 and California Code of Civil Procedure § 
1021.5, Plaintiff is entitled to relief, including attorneys’ fees and costs, and restitution. 
SEVENTEENTH CLAIM FOR RELIEF 

UNJUST ENRICHMENT (AGAINST COINBASE) 
522. Plaintiff realleges and incorporates each of the above paragraphs | — 521, as though fully 
set forth in this cause of action. 
523. Plaintiff paid Coinbase over two thousand dollars ($2,000) in transaction fees from 
October 2013 to the present, which, on information and belief, represent half the transaction fee 
revenue Coinbase collected on the transactions involving his account. 
524. Plaintiff conferred a direct benefit upon Coinbase when he deposited and stored his funds 
and digital assets on the Coinbase Platform. 
525. The funds and assets in Plaintiff's Coinbase account allowed Coinbase to generate 
revenue from investing, trading, selling, buying, loaning, or otherwise exchanging Plaintiffs 
funds and assets with third-parties, and with Coinbase’s “Affiliates.” 
526. Plaintiff conferred direct benefits upon Coinbase when he provided Coinbase with his 


private and sensitive digital data, including but not limited to his financial information and PII. 
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527. Over an eight-year period, Plaintiff directly conferred benefits upon Coinbase by 
providing fees and data to Coinbase, in exchange for Coinbase maintaining and providing 
Plaintiff access to, and conducting electronic fund transfers on his Coinbase account. 

528. Coinbase has unjustly restricted Plaintiff's access to, and has failed to conduct secure 
transactions on, his Coinbase account. 

529. Coinbase knew of the benefits Plaintiff conferred upon it, and Coinbase has unjustly 
retained those benefits, and has enriched itself by its deceitful conduct, at Plaintiff's expense. 
Coinbase, for example, promised Plaintiff that it would take reasonable efforts to protect 
Plaintiff's data, but instead, Coinbase collected thousands of dollars in transaction fees from 
facilitating indisputably unauthorized transactions on Plaintiff's Coinbase account. 

530. Coinbase has been unjustly enriched by its misappropriation of Plaintiff's transaction 
fees and his digital account data, and as a direct result, Coinbase has received and retained 
benefits that it would not have received, but for its wrongful conduct. 

531. The circumstances under which Plaintiff conferred and Coinbase accepted the benefits 
Plaintiff provided, render Coinbase’s retention of the benefits inequitable. 

532. Coinbase was unjustly enriched by its circulation of USDC tokens and Security Tokens 
on Coinbase’s Platform, which conferred a direct benefit upon Coinbase, as Coinbase traded and 
leveraged those assets for several years, while ignoring and failing to comply with applicable 
statutes, regulations, and consumer protection laws. 

533. Coinbase deceived Plaintiff, causing him to into assume unnecessary risks inherent in 
trading or investing in USDC and Security Tokens on the Coinbase Platform, which were 
unknowable to Plaintiff before December 14, 2021. 

534. Plaintiff conferred a direct benefit upon Coinbase by providing Coinbase fees and data 
over an eight-year period, which, beginning in April 2021, Coinbase used exclusively for 
purposes other than safeguarding Plaintiff's Coinbase account and assets. 

535. Plaintiffhas been harmed by Coinbase’s sale and exploitation of Plaintiff's PII and cyber- 
identification data, and by the fraudulent cryptocurrency and money transactions Coinbase 


effectuated using Plaintiffs confidential information and data. 
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536. Under principles of equity and good conscience, Coinbase should not be permitted to 
retain the fees Coinbase collected on transactions initiated using Plaintiff's Coinbase account, 
from October 2013 to the present. 

537. Equity requires that Coinbase return to Plaintiff the benefits he conferred upon Coinbase. 
538. Plaintiff respectfully requests an order from this Court instructing Coinbase to disgorge 
the fees and rewards, including Security Token staking rewards, Coinbase has collected from 
transactions involving Plaintiff's Coinbase account, which Coinbase has inequitably retained, as 
well as the reasonable USD value of the revenues Coinbase collected from exploiting Plaintiffs 
data, from October 2013 to the present. 

539. Punitive damages are appropriate under this cause of action because Coinbase knew, or 
should have known about the security vulnerabilities in its products and services—i.e., those that 
directly caused Plaintiff’s Coinbase account to be drained—and Coinbase willfully disregarded 
those extreme yet preventable risks for its own exclusive economic and reputational benefit. 


EIGHTEENTH CLAIM FOR RELIEF 


DECLARATORY JUDGMENT — VOID AND UNCONSCIONABLE (USER 


AGREEMENT) 
540. Plaintiff realleges and incorporates each of the above paragraphs 1 — 539, as though fully 


set forth in this cause of action. 

541. Plaintiff brings this claim for declaratory relief under 28 U.S.C. § 2201, to have this Court 
declare the User Agreement (Coinbase’s User Agreement, dated December 6, 2021, attached 
hereto as “Exhibit A”) unconscionable, void against public policy, and unenforceable in its 
entirety. 

542. Coinbase’s employees and agents have cited to the User Agreement, on multiple 
occasions, in support of: patently false statements related to Coinbase’s purported contractual 
duties to Plaintiff; Coinbase’s liability for fraud and unauthorized transactions on Plaintiff's 
Coinbase account, which Plaintiff timely reported to Coinbase; and the manner in which 
Coinbase responds to suspicious activity on the Coinbase Platform. 


543. Coinbase drafted the User Agreement. 
75 


COMPLAINT 


THE LAW OFFICE OF ETHAN MORA 


1040 E. HERNDON AVE., SUITE 202 


FRESNO, CA 93720 


ase 1:23-cv-01408-ADA-HBK Document1 Filed 09/26/23 Page 77 of 87 


544. Plaintiff never had an opportunity to negotiate any term of the User Agreement. 

545. The User Agreement is a standard contract of adhesion, which was presented by Coinbase 

to Plaintiff on a strictly take-it-or-leave-it basis. 

546. Coinbase had virtually unchecked authority to insist upon any term its legal department 

could devise, regardless of whether Plaintiff or any of its customers were aware of those terms. 

547. Coinbase is a multi-billion-dollar, publicly-traded financial technology company 

comprising and supported by an army of attorneys, software engineers, and “support team” 

employees. 

548. Plaintiff is an individual consumer with virtually no bargaining power relative to 

Coinbase. 

549. The disparity in bargaining power between Coinbase and its customers is stark, and is 

significant to Plaintiff's and Coinbase’s respective rights in equity and at law. 

550. The User Agreement is procedurally unconscionable because it imposes onerous, unfair, 

and unusual burdens on Plaintiff. 

551. The procedural unconscionability of the User Agreement is expressly incorporated in the 

User Agreement’s “Delegation Clause,” which allegedly affords Coinbase exclusive authority 

to “decides who decides” disputes raised by its customers. 

552. The Delegation Clause is found in Paragraph 8.2 of the User Agreement, and it reads: 
If you have a dispute with Coinbase (a “Complaint”), you agree to contact Coinbase 
through our support team to attempt to resolve any such dispute amicably. If we cannot 
resolve the dispute through the Coinbase support team, you and we agree to use the 
Formal Complaint Process set forth below. You agree to use this process before filing 
any arbitration claim or small claims action. If you do not follow the procedures set out 
in this Section before filing an arbitration claim or suit in small claims court, we shall 
have the right to ask the arbitrator or small claims court to dismiss your filing unless and 
until you complete the following steps. 

(Emphasis added). 


553. The Delegation Clause refers only to disputes raised by Coinbase customers (e.g., “If you 
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[Plaintiff] have a dispute,” “You agree to use this process”). The Delegation Clause does not 
reference disputes raised by Coinbase. Accordingly, the Delegation Clause unfairly restricts 
Plaintiffs, and not Coinbase’s, right to seek redress for harms and losses sustained during or as 
a result of Plaintiff's and Coinbase’s relationship. 

554. The Delegation Clause also grants Coinbase an exclusive right to seek dismissal of claims 
filed by its customers against Coinbase, but not vice versa (i.e., “If you [Plaintiff] do not follow 


99 66. 


the procedures set out in this Section,” “we [Coinbase] shall have the right to ask the arbitrator 
or small claims court to dismiss your filing unless and until you complete the following steps.”’). 
555. The Delegation Clause forces Coinbase customers to overcome a gauntlet of time- 
consuming fool’s errands devised by Coinbase, which, among other trivial and frustrating 
exercises, include initiating, and waiting until the conclusion of the one-sided “Formal 
Complaint Process.” 
556. According to the Delegation Clause, the authority to decide whether a customer pursuing 
claims against Coinbase has complied with the terms of the User Agreement, rests solely with 
Coinbase. 
557. The User Agreement is unenforceable because the Delegation Clause affords Coinbase, 
but not Plaintiff, the exclusive right to decide whether Plaintiff has satisfied or complied with 
the conditions precedent to arbitrating Plaintiffs claims. 
558. The Delegation Clause indicates that the Formal Complaint Process can only be initiated 
by Coinbase’s customers, not by Coinbase. 
559. Unlike Coinbase customers, Coinbase has no “Formal Complaint Process” that it must 
initiate in the event a dispute arises. 
560. The User Agreement’s “Arbitration Provision” refers only to disputes that cannot be 
resolved by Coinbase through the Formal Complaint Process. 
561. In pertinent part, the Arbitration Provision reads: 
8.3. Arbitration; Waiver of Class Action. If we [Coinbase] cannot resolve the dispute 
through the Formal Complaint Process, you and we [the Parties] agree that any 
dispute arising out of or relating to this Agreement or the Coinbase Services, 
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including, without limitation, federal and state statutory claims, common law 
claims, and those based in contract, tort, fraud, misrepresentation, or any other 
legal theory, shall be resolved through binding arbitration, on an individual basis 
(the “Arbitration Agreement”). 
(Bold in original; underlines added). 
562. A plain reading of the User Agreement indicates that the Arbitration Provision applies 
only to claims that Coinbase customers assert against Coinbase, and not the other way around. 
Accordingly, the Arbitration Provision does not apply to claims Coinbase might pursue against 
its customers, as those claims can be resolved absent the Formal Complaint Process entirely. 
563. The Delegation Clause and the Arbitration Provision are inextricable, which renders the 
Arbitration Provision, and the User Agreement in its entirety, unenforceable as against Plaintiff. 
564. The Arbitration Provision is unfair, lacks mutuality, and is void for unconscionability. 
565. Enforcement of the Arbitration Provision would unjustly require that Plaintiff forego 
seeking the full range of statutory remedies for Coinbase’s fraud and negligence, including 
punitive damages and attorney fees, which are available to Plaintiff under his claims herein 
alleged, and which Plaintiff would otherwise be entitled to receive, should he prevail. 
566. The exculpatory provision in Paragraph 9.3 of the User Agreement (“Exculpatory 
Provision”) contains numerous provisions that are contrary to public policy. These provisions 
exempt Coinbase from responsibility for its own gross negligence, fraud, and violations of 
statutory law. 
567. In pertinent part, the Exculpatory Provision reads: 
IN NO EVENT SHALL COINBASE, ITS AFFILIATES AND SERVICE PROVIDERS, 
OR ANY OFTHEIR RESPECTIVE OFFICERS, DIRECTORS, AGENTS, JOINT 
VENTURERS, EMPLOYEES OR REPRESENTATIVES, BE LIABLE (A) FOR ANY 
AMOUNT GREATER THAN THE VALUE OF THE SUPPORTED DIGITAL 
CURRENCY ON DEPOSIT IN YOUR COINBASE ACCOUNT(S) OR (B) FOR ANY 
LOST PROFITS, DIMINUTION IN VALUE OR BUSINESS OPPORTUNITY, ANY 


LOSS, DAMAGE, CORRUPTION OR BREACH OF DATA OR ANY OTHER 
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568. 


INTANGIBLE PROPERTY OR ANY SPECIAL, INCIDENTAL, INDIRECT, 
INTANGIBLE, OR CONSEQUENTIAL DAMAGES, WHETHER BASED IN 
CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, 
ARISING OUT OF OR IN CONNECTION WITH AUTHORIZED OR 
UNAUTHORIZED USE OF THE COINBASE SITE OR THE COINBASE SERVICES, 
OR THIS AGREEMENT, EVEN IF AN AUTHORIZED REPRESENTATIVE OF 
COINBASE HAS BEEN ADVISED OF OR KNEW OR SHOULD HAVE KNOWN OF 
THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE 
FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL 
PURPOSE, EXCEPT TO THE EXTENT OF A FINAL JUDICIAL DETERMINATION 
THAT SUCH DAMAGES WERE A_ RESULT OF COINBASE’S GROSS 
NEGLIGENCE, FRAUD, WILLFUL MISCONDUCT OR INTENTIONAL 
VIOLATION OF LAW. THIS MEANS [. . .| THAT YOU MAY NOT RECOVER FOR 
LOST PROFITS, LOST BUSINESS OPPORTUNITIES, DIMINUTION IN VALUE 
OR OTHER TYPES OF SPECIAL, INCIDENTAL, INDIRECT, INTANGIBLE, 
EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES IN EXCESS OF THE 
VALUE OF THE SUPPORTED DIGITAL CURRENCY AT ISSUE IN THE 
TRANSACTION. 


The Exculpatory Provision renders the entire User Agreement unenforceable on public 


policy grounds because it would exempt Coinbase from any damages resulting from its willful 


misconduct, including statutory violations and Coinbase’s gross negligence, fraud, and specific 


violations of the EFTA, Regulation E, and the CFAA. 


569. 


The indemnity provision in Paragraph 9.2 of the User Agreement (the “Indemnity’’) 


requires that Plaintiff hold Coinbase harmless for Coinbase’s negligence, deliberate 


misbehavior, gross negligence, statutory violations (including willful disclosure of confidential 


and sensitive personal information), and fraud, so long as the conduct is “in any way connected 


with” any dispute arising out of “‘any and all claims, demands and damages . . . of every kind 


and nature” that a Coinbase customer might have with any other users of its Platform, including 
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DOES 1-50. 

570. The Indemnity reads: 
If you have a dispute with one or more users of the Coinbase Services, you release 
Coinbase, its affiliates and service providers, and each of their respective officers, 
directors, agents, joint venturers, employees and representatives from any and all claims, 
demands and damages (actual and consequential) of every kind and nature arising out of 
or in any way connected with such disputes. You agree to indemnify and hold Coinbase, 
its affiliates and Service Providers, and each of its or their respective officers, directors, 
agents, joint venturers, employees and representatives, harmless from any claim or 
demand (including attorneys' fees and any fines, fees or penalties imposed by any 
regulatory authority) arising out of or related to your breach of this Agreement or your 
violation of any law, rule or regulation, or the rights of any third party. 

571. Coinbase is the largest cryptocurrency exchange company in the United States, yet the 

Indemnity purportedly exempts Coinbase from liability for all damages, including damages 

arising from its own deliberate, grossly negligent, and fraudulent acts, as well as for any unlawful 

acts of DOES 1-50. 

572. The allocation of risk among Plaintiff and Coinbase, as set out in the Indemnity, is 

objectively unreasonable. 

573. Inacontract of adhesion, when the indemnity provision defeats the entire purpose of the 

contract by making it impossible for a consumer to bring claims against the company for the 

entire range of statutory rights to which the consumer is entitled, the entire agreement is rendered 

unconscionable and unenforceable on its face. 

574. The User Agreement is a contract of adhesion. The Indemnity defeats the entire purpose 

of the contract by making it impossible for Plaintiff to bring claims against Coinbase for the 

entire range of statutory rights to which Plaintiff is entitled. The User Agreement is, therefore, 

unconscionable and unenforceable on its face. 

575. The User Agreement, including the Exculpatory Provision, Damages Restriction, 


Indemnity, and Arbitration Provision, is unenforceable in its entirety, and is unconscionable, and 
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void against public policy, as it unfairly obstructs and seeks to prevent Coinbase’s consumer 
customers, specifically Plaintiff, from seeking adequate redress from Coinbase, even in instances 
where, as here, Coinbase is alleged to have violated the CFAA, EFTA, CCPA, and California 
Penal Code § 496. 
576. The User Agreement is unenforceable because the central purpose of the Agreement is 
tainted with illegality such that the contract, as a whole, cannot be enforced. 
577. There is an actionable and justiciable controversy between Plaintiff and Coinbase. 
578. The Court’s decision in AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2010) did not 
abrogate the Federal Arbitration Act’s savings clause, which provides that arbitration agreements 
may be declared unenforceable “upon such grounds as exist at law or in equity for the revocation 
of any contract,” including “generally applicable contract defenses, such as fraud, duress, or 
unconscionability.”” Concepcion at 339, quoting 9 U.S.C. § 2 and Doctors Associates, Inc. v. 
Casarotto, 517 U.S. 681, 687 (1996). These defenses apply squarely to the User Agreement here. 
579. Plaintiff respectfully demands entry of a judgment against Coinbase, declaring the User 
Agreement, in its entirety, unenforceable as unconscionable; as against public policy; or, in the 
alternative, that the Delegation Clause is unenforceable and: (a) the Exculpatory Provision is 
unenforceable as against Plaintiff; (b) the Damages Restriction is unenforceable as against 
Plaintiff; (c) the Indemnity Provision is unenforceable as against Plaintiff; and (d) the Arbitration 
Provision is unenforceable as against Plaintiff. 

NINETEENTH CLAIM FOR RELIEF 

CONSTRUCTIVE TRUST 

580. Plaintiff realleges and incorporates each of the above paragraphs 1 — 579, as though fully 
set forth in this cause of action. 
581. Defendants obtained Plaintiff's cryptocurrency through actual fraud, misappropriation, 
conversion, theft, or by other unlawful or unethical means. 
582. In equity and good conscience, Defendants should not be permitted to retain Plaintiff’s 
bitcoins and BSV. 


583. Coinbase took actions and made promises with the intent to defraud Plaintiff, and to 
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induce him to store, and continue storing and exchanging his digital assets on or using the 
Coinbase Platform. 
584. DOES 1-50 stole, or intended to permanently deprive Plaintiff of his bitcoins and his 
BSV. 
585. Coinbase caused DOES 1-50 to acquire and retain Plaintiff's property, and the proceeds 
thereof or the profits therefrom, for Defendants’ respective benefits. 
586. Plaintiff acted reasonably in relying on Coinbase’s acts and promises. 
587. Plaintiff would not have acted in reliance upon Coinbase’s promises, had Plaintiff known 
of Coinbase’s secret intention not to perform its duties as a regulated financial institution and 
custodial Wallet services provider. 
588. The cryptocurrency assets for which Plaintiff seeks imposition of a constructive trust are 
specific, identifiable properties that can be traced to the Bitcoin public key address, 
bclqjp79ak6fxm4h7j0tsrwqx2n2k4tcqqveqxrvgm (the bcl Wallet); and to the BSV public key 
address, 1420 HFL8GGyuK CvbFtGw9PqQ5Urspwn9uu. 
589. Plaintiff hereby demands the equitable imposition of a constructive trust over the 
property currently held in the bel Wallet, and in the BSV_ Wallet, 
14goHFL8GGyuK CvbFtGw9PqQ5Urspwn9uuy. 
590. Plaintiff requests an order that all assets being held by Defendants in the bc1 Wallet, and 
in the 14g0HFL8GGyuK CvbFtGw9PqQ5Urspwn9uu BSV Wallet, be disgorged and held in 
trust for Plaintiff's benefit, as Defendants are not entitled to the benefit of misappropriated, 
converted, or stolen funds or assets. 

TWENTIETH CLAIM FOR RELIEF 

REPLEVIN AND DETINUE 

591. Plaintiff realleges and incorporates each of the above paragraphs 1 — 590, as though fully 
set forth in this cause of action. 
592. This is an action to recover possession of personal property. 
593. The personal property at issue is 2.05698427 bitcoins (the “‘res’’). 


594. As of the date of this filing, the res is believed to be stored in the Bitcoin Wallet with the 
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public key address, bel qjp79ak6fxm4h 7j0tsrwqx2n2k4tcqqvegxrvgm (the bcl Wallet). 
595. The res was wrongfully taken from Plaintiff on December 14, 2021, and the res was 
transferred from Plaintiff's Bitcoin Wallet to the be Wallet, without Plaintiff's knowledge, 
permission, or consent, and through no fault of his own. 
596. Plaintiff owned and has the right to possess the res, and not just a mere right to payment 
for the value of the res. 
597. Defendants have intentionally exercised control, and continue to exercise control, over 
the bitcoins currently associated with the bc Wallet, in a manner that excludes Plaintiff from 
using or possessing the res. 
598. The res has not been taken for any tax assessment or fine pursuant to law, nor has the res 
been taken under an execution or attachment against Plaintiffs property. 
599. The res is not exempt from execution. 
600. The res has been unlawfully detained by Defendants, and has not been returned to 
Plaintiff as of the date of filing of this Complaint. 
601. Plaintiff seeks assistance from this Court to restore the res to Plaintiff. 
602. Plaintiff hereby demands a writ of replevin, and detinue of the bitcoins taken from him. 
603. Plaintiff demands a writ of detinue directing the United States Marshal in any district 
where the res may be located, to repossess the res on behalf of Plaintiff, or to assist Plaintiff in 
repossessing the res. 
23 

This Complaint is not being presented for an improper purpose, such as to harass, cause 
unnecessary delay, or needlessly increase the cost of litigation. 

This Complaint is supported by existing law or by a nonfrivolous argument for extending, 
modifying, or reversing existing law. 

The factual contentions in this Complaint have evidentiary support or, if alleged upon 
information and belief, will likely have evidentiary support after a reasonable opportunity for 
further investigation or discovery. 


This Complaint complies with the requirements of Rule 11. 
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28 ok 


PRAYER FOR RELIEF 


WHEREFORE, Plaintiff demands judgment against Defendants as follows: 


a. 


Requiring Defendants to pay the actual damages sustained by Plaintiff by reason of the 
acts and transactions alleged herein, plus punitive damages; 

For general damages against Defendants, and each of them, jointly and severally, in an 
amount to be determined at trial in order to restore Plaintiff to the position he was in prior 
to the damage, but in no event less than $101,762.51 USD, or 2.05 BTC and 1.727 BSV; 
For an award of restitution, and an order for the disgorgement of all of Defendants’ ill- 
gotten gains from the unlawful conduct alleged herein; 

For exemplary and punitive damages against Defendants, and each of them, in an amount 
to be determined at trial; 

For an order permanently and publicly enjoining Defendants from continuing to engage 
in the unlawful and unfair business acts and practices alleged herein; 

For a judgment declaring the Coinbase User Agreement (dated December 6, 2021) 
unenforceable in its entirety, as unconscionable, and as void against public policy; or, 

in the alternative that: (a) the Delegation Clause is unenforceable as against Plaintiff; 
(b) the Damages Restriction is unenforceable as against Plaintiff; (c) the Indemnity is 
unenforceable as against Plaintiff; and (d) the Arbitration Provision is unenforceable as 
against Plaintiff; 

For an order permanently and publicly restraining each and every person with possession 
of the private key(s) for the bcI Wallet from taking any action that would, or reasonably 
could cause the 2.05647153 BTC presently in the bcl Wallet, to be transferred to another 
Bitcoin Wallet, or to otherwise become irrecoverable; 

For an order for a writ of detinue directing the United States Marshal in any district where 
the res may be located to repossess the res and/or the bitcoins in the bcI Wallet, on behalf 
of Plaintiff Ryan Dellone, or to otherwise assist Plaintiff in repossessing the res; 


For an order compelling Defendants to transfer to Plaintiff the control, legal title, and 
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possession of the 2.05698427 bitcoins located at the Bitcoin public key address, 
belqjp79ak6fxm4h 7j0tsrwqx2n2k4tcqqveqxrvgm; and to do the same with the XTZs 
and XTZ rewards earned through Plaintiff's Coinbase account, and the BSV at the BSV 
public key address, 14g0 HFL8GGyuKCvbFtGw9PqQ5Urspwn9uu; 

For an order requiring Defendants to engage in necessary corrective actions, so that 
customer accounts and customer funds and cryptocurrency assets can be secured, 
accessed, and exchanged between Plaintiff and any persons or entities currently in 


possession of those accounts, funds, and assets belonging to Plaintiff; 


. Awarding Plaintiff prejudgment and post-judgment interest, as well as well as reasonable 


attorneys’ fees, expert fees and other costs and expenses of this litigation; and 


Awarding such other relief as the Court deems just and proper. 


28 2 2k 


DEMAND FOR TRIAL BY JURY 


Plaintiff hereby demands a trial by jury on all issues so triable. 


28 ok 


THE LAW OFFICE OF ETHAN MORA 


By:___/s/ Ethan E. Mora 


Ethan E. Mora, Esq. 


Attorney for Plaintiff Ryan Dellone 
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Coinbase User Agreement 


Last updated: December 6, 2021 


Welcome to Coinbase! This is a User Agreement between you (also referred to herein as “Client,” “User,” or customer) and Coinbase 
Inc. ("Coinbase"). This User Agreement ("Agreement") governs your use of the services provided by Coinbase described below 
("Coinbase Services" or "Services"). By signing up to use an account through coinbase.com, pro.coinbase.com, APIs, or the 
Coinbase mobile application (collectively the "Coinbase Site"), you agree that you have read, understand, and accept all of the 
terms and conditions contained in this Agreement including Section 8.2. "Arbitration; Waiver of Class Action", as well as our Privacy 
Policy, Cookie Policy, and E-Sign Consent Policy. 


As with any asset, the value of Digital Currencies can go up or down and there can be a substantial risk that you lose money 
buying, selling, holding, or investing in digital currencies. You should carefully consider whether trading or holding Digital 
Currencies is suitable for you in light of your financial condition. Coinbase is not registered with the U.S. Securities and 
Exchange Commission and does not offer securities services in the United States or to U.S. persons. 


Part 1: GENERAL USE 


1. Account Setup 


1.1. Eligibility. To be eligible to use the Coinbase Services, you must be at least 18 years old, and reside in the United States. 


1.2. Terms. We may amend or modify this Agreement at any time by posting the revised agreement on the Coinbase Site and/or 
providing a copy to you (a “Revised Agreement”). The Revised Agreement shall be effective as of the time it is posted but will not 
apply retroactively. Your continued use of the Services after the posting of a Revised Agreement constitutes your acceptance of 
such Revised Agreement. If you do not agree with any such modification, your sole and exclusive remedy is to terminate your use of 
the Services and close your account. 


1.3. Registration of Coinbase Account. You must register for a Coinbase account to use the Coinbase Services (a "Coinbase 
Account"). By using a Coinbase Account you agree and represent that you will use Coinbase only for yourself, and not on behalf of 
any third party, unless you have obtained prior approval from Coinbase. You are fully responsible for all activity that occurs under 
your Coinbase Account. We may, in our sole discretion, refuse to open a Coinbase Account, or limit the number of Coinbase 
Accounts that you may hold or suspend or terminate any Coinbase Account or the trading of specific Digital Currency in your 
account. 


1.4. Identity Verification. During registration for your Coinbase Account, you agree to provide us with the information we request 
for the purposes of identity verification and the detection of money laundering, terrorist financing, fraud, or any other financial 
crimes and permit us to keep a record of such information. You will need to complete certain verification procedures before you are 
permitted to use the Coinbase Services. Your access to one or more Coinbase Services and the limits that apply to your use of the 
Coinbase Services, may be altered as a result of information collected about you on an ongoing basis. The information we request 
may include certain personal information, including, but not limited to, your name, address, telephone number, e-mail address, 
date of birth, taxpayer identification number, a government identification, and information regarding your bank account (such as 
the name of the bank, the account type, routing number, and account number) and in some cases (where permitted by law), special 
categories of personal data, such as your biometric information. In providing us with this or any other information that may be 
required, you confirm that the information is accurate and authentic. You agree to keep us updated if any of the information you 
provide changes. You authorize us to make inquiries, whether directly or through third parties, that we consider necessary 
to verify your identity or protect you and/or us against fraud or other financial crime, and to take action we reasonably 
deem necessary based on the results of such inquiries. When we carry out these inquiries, you acknowledge and agree that 
your personal information may be disclosed to credit reference and fraud prevention or financial crime agencies and that 
these agencies may respond to our inquiries in full. This is an identity check only and should have no adverse effect on your 
credit rating. Further, you authorize your wireless operator (AT&T, Sprint, T-Mobile, US Cellular, Verizon, or any other branded 
wireless operator) to use your mobile number, name, address, email, network status, customer type, customer role, billing type, 
mobile device identifiers (IMS! and IMEI) and other subscriber status details, if available, solely to allow verification of your identity 
and to compare information you have provided to Coinbase with your wireless operator account profile information for the 
duration of the business relationship. See our Privacy Policy for how we treat your data. 


1.5. Access. To access the Coinbase Services, you must have the necessary equipment (such as a smartphone or laptop) and the 
associated telecommunication service subscriptions to access the Internet. The Coinbase Services can be accessed directly using the 
Coinbase Site. Access to Coinbase Services may become degraded or unavailable during times of significant volatility or volume. 


This could result in the inability to buy or sell for periods of time and may also lead to support response time delays. Although we 
strive to provide you with excellent service, we do not represent that the Coinbase Site or other Coinbase Services will be available 
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not be liable for any losses resulting from or arising out of transaction delays. 


2. Wallet and Custodial Services 


2.1. Wallet Services. As part of your Coinbase Account, Coinbase will provide qualifying users access to: (a) a hosted Digital 
Currency wallet(s) for holding Digital Currencies (“Digital Currency Wallet"), and (b) a hosted US Dollars ("USD") wallet for holding 
USD (a "USD Wallet’). 


2.2. Hosted Digital Currency Wallet. Your Digital Currency Wallet allows you to store, track, transfer, and manage your balances of 
Digital Currency. As used throughout, "Digital Currency" means only those particular digital currencies listed as available to trade 
or custody in your Coinbase Account (also referred to as “Supported Digital Currency"). Services and supported assets may vary 

by jurisdiction. We securely store Digital Currency private keys, which are used to process transactions, in a combination of online 
and offline storage. As a result of our security protocols, it may be necessary for us to retrieve private keys or related information 
from offline storage in order to facilitate a Digital Currency Transfers in accordance with your instructions, and you acknowledge 
that this may delay the initiation or crediting of such Digital Currency Transfers. You may elect to use other services, such as the 
Coinbase Vault, which allow you to set withdrawal time-delays and create other conditions around the custody and transfer of your 
Digital Currency. Additional rules associated with such product(s) and service(s) may apply. 


2.3. Supported Digital Currencies. Your Coinbase Account is intended solely for proper use of Supported Digital Currencies as 
designated on the Site. Under no circumstances should you attempt to use your Digital Currency Wallet to store, send, 
request, or receive any assets other than Supported Digital Currencies. Coinbase assumes no responsibility in connection 
with any attempt to use your Digital Currency Wallet with digital currencies that we do not support. If you have any 
questions about our current list of Supported Digital Currencies, please visit https://support.coinbase.com. 


2.4. Supplemental Protocols Excluded. Unless specifically announced on the Coinbase Site or other official public statement of 
Coinbase, Supported Digital Currencies excludes all other protocols and/or functionality which supplement or interact with the 
Supported Digital Currency. This exclusion includes but is not limited to: metacoins, colored coins, side chains, or other derivative, 
enhanced, or forked protocols, tokens, or coins or other functionality, such as staking, protocol governance, and/or any smart 
contract functionality, which may supplement or interact with a Digital Currency we support. Do not use your Coinbase Account to 
attempt to receive, request, send, store, or engage in any other type of transaction or functionality involving any such protocol as 
Coinbase is not configured to detect, secure, or process these transactions and functionality. Any attempted transactions in such 
items will result in loss of the item. You acknowledge and agree that supplemental protocols are excluded from Supported 
Digital Currency and that Coinbase has no liability for any losses related to supplemental protocols. 


2.5 Operation of Digital Currency Protocols. We do not own or control the underlying software protocols which govern the 
operation of Digital Currency supported on our platform. Generally, the underlying protocols are open source, and anyone can use, 
copy, modify, and distribute them. We assume no responsibility for the operation of the underlying protocols and we are not able 
to guarantee the functionality or security of network operations. In particular, the underlying protocols may be subject to sudden 
changes in operating rules (including “forks”). Any such material operating changes may materially affect the availability, value, 
functionality, and/or the name of the Digital Currency you store in your Digital Currency Wallet. Coinbase does not control the 
timing and features of these material operating changes. It is your responsibility to make yourself aware of upcoming operating 
changes and you must carefully consider publicly available information and information that may be provided by Coinbase in 
determining whether to continue to use a Coinbase Account for the affected Digital Currency. In the event of any such operational 
change, Coinbase reserves the right to takes such steps as may be necessary to protect the security and safety of assets held on the 
Coinbase platform, including temporarily suspending operations for the involved digital currency(ies), and other necessary steps; 
Coinbase will use its best efforts to provide you notice of its response to any material operating change; however, such changes are 
outside of Coinbase’s control and may occur without notice to Coinbase. Coinbase’s response to any material operating change is 
subject to its sole discretion and includes deciding not to support any new digital currency, fork, or other actions. You 
acknowledge and accept the risks of operating changes to Digital Currency protocols and agree that Coinbase is not 
responsible for such operating changes and not liable for any loss of value you may experience as a result of such changes 
in operating rules. You acknowledge and accept that Coinbase has sole discretion to determine its response to any operating 
change and that we have no responsibility to assist you with unsupported currencies or protocols. 


2.6. Digital Currency Custody and Title. All Digital Currencies held in your Digital Currency Wallet are custodial assets held by 
Coinbase for your benefit, as described in further detail below. 


2.6.1 Ownership. Title to Digital Currency shall at all times remain with you and shall not transfer to Coinbase. As the owner of 
Digital Currency in your Digital Wallet, you shall bear all risk of loss of such Digital Currency. Coinbase shall have no liability for 
Digital Currency fluctuations. None of the Digital Currencies in your Digital Currency Wallet are the property of, or shall or may be 
loaned to, Coinbase; Coinbase does not represent or treat assets in User's Digital Currency Wallets as belonging to Coinbase. 
Coinbase may not grant a security interest in the Digital Currency held in your Digital Currency Wallet. Except as required by a 
facially valid court order, or except as provided herein, Coinbase will not sell, transfer, loan, hypothecate, or otherwise alienate 
Digital Currency in your Digital Currency Wallet unless instructed by you. 


2.6.2 Control. You control the Digital Currencies held in your Digital Currency Wallet. At any time, subject to outages, downtime, 
and other applicable policies, you may withdraw your Digital Currency by sending it to a different blockchain address. As long as 
you continue to custody your Digital Currencies with Coinbase, Coinbase shall retain control over electronic private keys associated 
with blockchain addresses operated by Coinbase, including the blockchain addresses that hold your Digital Currency. 


2.6.3 Acknowledgement of Risk. You acknowledge that Digital Currency is not subject to protections or insurance provided by the 
Federal Deposit Insurance Corporation or the Securities Investor Protection Corporation. 


2.6.4 Digital Currencies Not Segregated. |n order to more securely custody assets, Coinbase may use shared blockchain 
addresses, controlled by Coinbase, to hold Digital Currencies held on behalf of customers and/or held on behalf of Coinbase. 
Although we maintain separate ledgers for Client and Coinbase accounts, Coinbase shall have no obligation to segregate by 
blockchain address Digital Currencies owned by you from Digital Currencies owned by other customers or by Coinbase. 


2.7. USD Wallet. Your USD Wallet allows you to hold and transfer USD with your Coinbase Account as described below. In general, 
we will combine the balance of your USD Wallet with other customers’ balances and either hold those funds in a custodial account 
at a U.S. FDIC-insured bank or invest those funds in liquid investments, such as U.S. treasuries, in accordance with state money 
transmitter laws. Coinbase owns the interest or other earnings on these investments. Pooled customer funds are held apart from 
Coinbase’s corporate funds and Coinbase will neither use these funds for its operating expenses or any other corporate purposes. 


2.8. USDC Wallets. You may also elect to buy USD Coin from Coinbase, a Digital Currency issued by Circle Internet Financial 
(“Circle”) and supported by Coinbase ("USDC"). You are the owner of the balance of your USDC Wallet. Coinbase is not the issuer of 
USDC, does not hold U.S. Dollars on reserve for USDC holders, and has no obligation to repurchase your USDC for USD. You can 
redeem your USDC with Circle, and Coinbase may also elect to repurchase your USDC in exchange for USD. You agree to be bound 
by the terms of the Circle USDC Agreement (located at https://support.usdc.circle.com/hc/en-us/articles/360001233386-Circle- 
USDC-User-Agreement), which provides additional obligations, undertakings, and limitations with respect to USDC. 


3. Payment Services, Purchase & Sale Transactions, Credit Transactions 


3.1. USD Funds. You can load funds into your USD Wallet from a valid bank account via ACH transfer or wire transfer. Your USD 
balance is in a pending state and will not be credited to your USD Wallet until after the bank transfer has cleared, usually with 5 
business days. We may debit your linked bank account as soon as you initiate payment. The name on your linked bank account and 
your wire transfer must match the name verified on your Coinbase Account. 


3.2. Transactions on the Coinbase Site. When you purchase (buy) or sell Digital Currency on the Coinbase Site, you are not buying 
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in your USD Wallet, (b) Digital Currency held in certain Digital Currency Wallets, as permitted by Coinbase, (c) a valid bank account 
in the name that matches the name on your Coinbase Account, or (d) a debit or credit card that matches the name on your 
Coinbase Account (each a "Valid Payment Method"). Your purchase must follow the relevant instructions on the Coinbase Site. 
Coinbase reserves the right to cancel any transaction not confirmed by you within five (5) seconds after Coinbase quotes a 
transaction price. A purchase of Digital Currency using a Valid Payment Method generally will initiate on the business day we 
receive your instructions. Purchased Digital Currency will be deposited in your Digital Currency Wallet as soon as funds have settled 
to Coinbase, which in the case of a bank account or credit or debit card may take up to five business days. You can sell Digital 
Currency and instruct Coinbase to deposit funds into your Coinbase USD Wallet or, where supported, a Digital Currency Wallet. 
Digital Currency purchases and sales are collectively referred to herein as “Digital Currency Transactions’. If Coinbase cannot 
complete your Digital Currency Transaction for any reason (such as price movement, market latency, inability to find a counterparty 
‘or your transaction, or order size), Coinbase will reject the order and notify you of such rejection. You will not be charged for a 
rejected transaction. 


3.3. Fees. In general, Coinbase makes money when you purchase or sell digital currency on our Site. A description of the Coinbase 
ees for your Coinbase Account can be found on our Pricing and Fees Disclosures page. By using Coinbase Services you agree to 
pay all applicable fees. Coinbase reserves the right to adjust its pricing and fees and any applicable waivers at any time. We will 
always notify you of the pricing and fees which apply to your transaction when you authorize the transaction and in each receipt we 
issue to you. We may charge network fees (miner fees) to process a Digital Currency Transaction on your behalf. We will calculate 
the network fee in our discretion, although we will always notify you of the network fee at or before the time you authorize the 
Digital Currency Transaction. Bank fees charged to Coinbase are netted out of transfers to or from Coinbase. You are responsible for 
paying any additional fees charged by your financial service provider. We will not process a transfer if associated bank fees exceed 
the value of the transfer. You may be required to deposit additional USD to cover bank fees if you desire to complete such a 
transfer. 


3.4. Recurring Digital Currency Transactions. If you initiate recurring Digital Currency Transactions, you authorize us to initiate 
recurring electronic payments in accordance with your selected Digital Currency Transaction and any corresponding payment 
accounts, such as recurring automated clearing house (ACH) debit or credit entries from or to your linked bank account. Your 
recurring transactions will occur in periodic installments, based on your period selection (e.g., daily, weekly, monthly), until either 
you or Coinbase cancels the recurring order. Recurring transactions scheduled for the 29th, 30th, or 31st day of a month will be 
processed the earlier of the date scheduled or on the last day of the applicable month. For example, recurring transactions 
scheduled for the 31st will be processed on the 30th in April, June, September, and November. Your recurring transaction will be 
executed within the 24-hour day on the transaction date. Transaction times may vary. 


If you select a U.S. Bank Account as your payment method for a recurring transaction, and such transaction falls on a weekend or 
holiday, or after bank business hours, the ACH credit or debit will be executed on the next business day, although the Digital 
Currency fees at the time of the regularly-scheduled transaction will apply. If your Bank is unable to process any electronic ACH 
debit entry, we will notify you of cancellation of the transaction and may avail itself of remedies set forth in this User Agreement to 
recover any amount owed to Coinbase. This authorization will remain in full force and effect until you change your recurring 
transaction settings at https://www.coinbase.com/recurring_payments, or until you provide us written notification 

at https://support.coinbase.com. You agree to notify Coinbase in writing of any changes in your linked bank account information 
prior to a recurring transaction. Coinbase may, at any time, suspend or delay recurring transactions without notice or terminate 
recurring transactions by providing notice to you. 


3.5. Credit Transaction Payments. You may use the "Make A Payment” option on the Coinbase Site from time to time to authorize 
payments for any credit transaction with us or any of our affiliates, including any amount owing pursuant to any credit agreement 
you may enter into with us or any of our affiliates, from time to time. With this option, you can authorize us or our affiliates to make 
a one-time charge to your linked deposit account through the ACH network (your “Preferred Payment Method”). You may select 
or approve the dollar amount and transaction date for each one-time payment you authorize using your Preferred Payment 
Method. We and our affiliates reserve the right to limit the amount and date of these one-time charges, screen transactions, and 
take other steps for our own risk management and business reasons. Although we or our affiliates will try to notify you if your 
depository institution is unable or unwilling to process any one-time charge using your Preferred Payment Method, you agree we 
are not required to do so and you are still required to make payments in the time and manner required by your credit agreement 
with us or any of our affiliates. 


3.6. Revocation. When you give us instructions to purchase (buy) Digital Currency, you cannot withdraw your consent to that 
purchase unless the purchase is not scheduled to occur until a future date e.g. you set up a recurring purchase of Digital Currency 
(a "Future Transaction"). In the case of a Future Transaction, you may withdraw your consent up until the end of the business day 
before the date that the Future Transaction is scheduled to take place. To withdraw your consent to a Future Transaction, follow the 
instructions on the Coinbase Site. 


3.7. Unauthorized and Incorrect Transactions. When a Digital Currency or USD transaction occurs using your credentials, we will 
assume that you authorized such transaction, unless you notify us otherwise. If you believe you did not authorize a particular 
transaction or that a transaction was incorrectly carried out, you must contact us as soon as possible either by email free of charge 
at https://support.coinbase.com or by phone at +1 (888) 908-7930 (international call charges may apply). It is important that you 
regularly check your USD Wallet and Digital Currency Wallet balances and your transaction history regularly to ensure you notify us 
as soon as possible of any unauthorized or incorrect transactions to. We are not responsible for any claim for unauthorized or 
incorrect transactions unless you have notified us in accordance with this section. 


3.8. Account Information. You will be able to see your USD Wallet and Digital Currency Wallet balances using the Coinbase Site. 
You can also see your transaction history using the Coinbase Site, including (i) the amount (and currency) of each Digital Currency 
Transaction, (ii) a reference to the identify of the payer and/or payee (as appropriate), (iii) any fees charged (excluding any spread, 
or margin, over the prevailing market rate on Coinbase’s trading platform), (iv) if applicable, the rate of exchange, and the amount 
(in the new currency) after exchange (where you are the payer) or the amount (in the original currency) before the exchange (where 
you are the payee), and (v) the date of each Digital Currency Transaction. 


3.9. Consent to access, processing and storage of your personal data. You consent to us accessing, processing and retaining 
any personal information you provide to us for the purpose of us providing Coinbase Services to you. This consent is not related to, 
and does not affect, any rights or obligations we or you have in accordance with data protection laws, privacy laws and regulations. 
You can withdraw your consent at any time by closing your account with us. However, we may retain and continue to process your 
personal information for other purposes. Please see our Privacy Policy for further information about how we process your personal 
data, and the rights you have in respect of this. 


3.10. Reversals & Cancellations. You cannot cancel, reverse, or change any transaction marked as complete or pending. If your 
payment is not successful, if your payment method has insufficient funds, or if you reverse a payment made from funds in your 
bank account, you authorize Coinbase, in its sole discretion, either to cancel the transaction or to debit your other payment 
methods, including your USD Wallet or Digital Currency Wallet balances or other linked accounts, in any amount necessary to 
complete the transaction. You are responsible for maintaining an adequate balance and/or sufficient credit limits in order to avoid 
overdraft, non-sufficient funds (NSF), or similar fees charged by your payment provider. We reserve the right to refuse to process, or 
to cancel or reverse, any Digital Currency Transaction or Transfers in our sole discretion, even after funds have been debited from 
your account(s), if we suspect the transaction involves (or has a high risk of involvement in) money laundering, terrorist financing, 
fraud, or any other type of financial crime; in response to a subpoena, court order, or other government order; if we reasonably 
suspect that the transaction is erroneous; or if Coinbase suspects the transaction relates to Prohibited Use or a Prohibited Business 
as set forth below. In such instances, Coinbase will reverse the transaction and we are under no obligation to allow you to reinstate 
a purchase or sale order at the same price or on the same terms as the cancelled transaction. 


3.11. Payment Services Partners. Coinbase may use a third party payment processor to process any US Dollar payment between 


you and Coinbase, including but not limited to payments in relation to your use of the Digital Currency Transactions or deposits or 
withdrawals from your USD Wallet or Coinbase Pro Account. 


4. Diaital Currency Transfers 
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4.1. In General. If you have sufficiently verified your identity, your Digital Currency Wallet enables you to send Supported Digital 
Currency to, and request, receive, and store Supported Digital Currency from, third parties by giving instructions through the 
Coinbase Site. Your transfer of Supported Digital Currencies between your other digital currency wallets (including wallets off the 
Coinbase Site) and to and from third parties is a “Digital Currency Transfer’. 


4.2. Pending Transactions. Once a Digital Currency Transfer is submitted to a Digital Currency network, the transaction will be 
unconfirmed and remain in a pending state for a period of time sufficient to confirmation of the transaction by the Digital Currency 
network. A Digital Currency Transfer is not complete while it is in a pending state. Pending Digital Currency Transfers that are 
initiated from a Coinbase Account will reflect a pending transaction status and are not available to you for use on the Coinbase 
platform or otherwise while the transaction is pending. 


4.3. Inbound Digital Currency Transfers. When you or a third party sends Digital Currency to a Coinbase wallet from an external 
wallet not hosted on Coinbase (“Inbound Transfers”), the person initiating the transaction is solely responsible for executing the 
transaction properly, which may include, among other things, payment of sufficient network or miner's fees in order for the 
transaction to be successful. Insufficient network fees may cause an Inbound Transfer to remain in a pending state outside of 
Coinbase’s control and we are not responsible for delays or loss incurred as a result of an error in the initiation of the transaction 
and have no obligation to assist in the remediation of such transactions. By initiating an Inbound Transfer, you attest that you 
are transacting in a Supported Digital Currency which conforms to the particular Coinbase wallet into which funds are 
directed. For example, if you select an Ethereum wallet address to receive funds, you attest that you are initiating an 
Inbound Transfer of Ethereum alone, and not any other currency such as Bitcoin or Ethereum Classic. Coinbase incurs no 
obligation whatsoever with regard to unsupported digital currency sent to a Coinbase Account or Supported Digital 
Currency sent to an incompatible Digital Currency wallet. Erroneously transmitted funds will be lost. We recommend 
customers send a small amount of Supported Digital Currency as a test prior to initiating a send of a significant amount of 
Supported Digital Currency. Coinbase may from time to time determine types of Digital Currency that will be supported or cease to 
be supported. 


4.4. Outbound Digital Currency Transfers. When you send Digital Currency from your Coinbase Account to an external wallet 
(‘Outbound Transfers”), such transfers are executed at your instruction by Coinbase. You should verify all transaction information 
prior to submitting instructions to us. Coinbase shall bear no liability or responsibility in the event you enter an incorrect blockchain 
destination address. We do not guarantee the identity or value received by a recipient of an Outbound Transfer. Digital Currency 
Transfers cannot be reversed once they have been broadcast to the relevant Digital Currency network, although they may be in a 
pending state, and designated accordingly, while the transaction is processed by network operators. Coinbase does not control the 
Digital Currency network and makes no guarantees that a Digital Currency Transfer will be confirmed by the network. We may 
refuse to process or cancel any pending Outbound Digital Currency Transfers as required by law or any court or other authority to 
which Coinbase is subject in any jurisdiction. Additionally, we may require you to wait some amount of time after completion of a 
transaction before permitting you to use further Coinbase Services and/or before permitting you to engage in transactions beyond 
certain volume limits. 


4.5. Transfers to a Recipient Email Address. Coinbase allows you to initiate a Digital Currency Transfer to a Coinbase customer by 
designating that customer's email address. If you initiate a Digital Currency Transfer to an email address, and the recipient does not 
have an existing Coinbase Account, we will invite the recipient to open a Coinbase Account. If the recipient does not open a 
Coinbase Account within 30 days, we will return the relevant Digital Currency to your Digital Currency Wallet. 


4.6. Third Party Merchants. We have no control over, or liability for, the delivery, quality, safety, legality or any other aspect of any 
goods or services that you may purchase from a third party (including other users of Coinbase Digital Currency Services). We are 
not responsible for ensuring that a third party buyer or a seller you transact with will complete the transaction or is authorised to 
do so. If you experience a problem with any goods or services purchased from, or sold to, a third party using Digital Currency 
transferred using the Coinbase Digital Currency Services, or if you have a dispute with such third party, you should resolve the 
dispute directly with that third party. If you believe a third party has behaved in a fraudulent, misleading, or inappropriate manner, 
or if you cannot adequately resolve a dispute with a third party, you may notify Coinbase Support 

at https://support.coinbase.com so that we may consider what action to take, if any. 


4.7. Debts. In the event that there are outstanding amounts owed to us hereunder, including in your Coinbase Account, Coinbase 
reserves the right to debit your Coinbase Account or Coinbase Pro Account accordingly and/or to withhold amounts from funds 
you may transfer from your Coinbase Pro Account to your Coinbase Account. 


5. Additional Services 


5.1. Generally. In addition to the Services above, the following services (Additional Services") may be made available by 
Coinbase to users that fulfill certain eligibility criteria. 


5.2. Coinbase Pro Services. Coinbase Pro Services are services related to Coinbase Pro's order matching platform. If you are 
eligible and elect to use the Coinbase Pro Services, you must establish a Coinbase Pro account at pro.coinbase.com ("Coinbase Pro 
Account"). The provisions of this Section 5.1. apply to your use of such Coinbase Pro Services in addition to the other applicable 
provisions of this Agreement, including without limitation the releases, indemnities, disclaimers, limitations of liability, prohibited 
use, dispute resolution, and cancellation policies set forth above. Additionally. you also accept and agree to be bound by the 
Trading Rules and the Coinbase Pro Trading Fees. 


5.2.1 Coinbase Pro Account. You may not sell, lease, furnish or otherwise permit or provide access to your Trading Account to any 
other entity or to any individual that is not your employee or agent. You accept full responsibility for your employees' or agents' use 
of Coinbase Pro, whether such use is directly through the Coinbase Pro website or by other means, such as those facilitated 
through API keys, and/or applications which you may authorize. You understand and agree that you are responsible for any and all 
orders, trades, and other instructions entered into Coinbase Pro including identifiers, permissions, passwords, and security codes 
associated with your Coinbase Pro Account. 


5.2.2 Order Books. Coinbase Pro Services offer an order book for various Digital Currency and Fiat Currency trading pairs (each an 
"Order Book"). Refer to your Coinbase Pro Account to determine which Order Books are available to you. 


5.2.3 Associated Tools. In addition to the Wallet Services detailed in Section 2.1, your Coinbase Pro Account provides you access 
to associated user tools, accessible at pro.coinbase.com and through the Coinbase Pro API. 


5.3. USDC Rewards. 


USDC IS NOT LEGAL TENDER. USDC IS A DIGITAL CURRENCY AND COINBASE HAS NO RIGHT TO USE ANY USDC YOU HOLD 
ON COINBASE. COINBASE IS NOT A DEPOSITORY INSTITUTION, AND YOUR USDC WALLET IS NOT A DEPOSIT ACCOUNT. 
YOUR USDC WALLET IS NOT INSURED BY THE FEDERAL DEPOSIT INSURANCE CORPORATION (FDIC) OR THE SECURITIES 
INVESTOR PROTECTION CORPORATION (SIPC). 


5.3.1 Eligibility. If you are eligible, you can earn rewards for holding USDC on Coinbase.com. So long as you hold at least $1 of 
USDC in your Coinbase.com account, you will automatically earn amounts of USDC as described below in the “Calculation” section 
(“USDC Rewards”). If at any time you do not hold at least $1 of USDC in your Coinbase.com account, your enrollment in USDC 
Rewards will be paused until such time that you do hold at least $1 of USDC in your Coinbase.com account. During such period you 
will retain all USDC Rewards previously accrued but not yet distributed. Such accrued rewards will be distributed as described below 
in the “Calculation” section. If at any time you are deemed ineligible, your enrollment in USDC Rewards will be similarly paused. You 
can opt-out of, or back into, USDC Rewards at any time by following the instructions here. If you opt-out of USDC Rewards or close 
your Coinbase.com account, you will forfeit the rewards you have accrued (that are not yet distributed for the current calendar 
month) up to that time. USDC held on Coinbase Pro is not eligible for USDC Rewards. 


5.3.2 Calculation. Rewards are earned on a daily basis in the form of USDC at the then current USDC Rewards Rate. Our 
current USDC Rewards Rate can be found here. Our current USDC Rewards Annual Percentage Yield, which includes the effect of 
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USDC wallet within 5 business days after the start of the next calendar month. USDC Rewards distributed to you are rounded-down 
to the nearest sixth decimal place. We use the Daily Balance Method to determine the rewards you earn for a particular day, using 
your average balance of USDC on that specific day as that day's balance. The rate used to determine rewards earned for a particular 
day is the then current USDC Rewards Rate divided by 365. 


5.3.3 Changes. We reserve the right to change the USDC Rewards Rate Annual Percentage Yield at any time by 

notification here and here and by other reasonable means of notice (including e-mail). Unless otherwise stated in the notice, no 
change will be effective until the first day of the calendar month after such notice is made. We reserve the right to add, change, or 
delete any provision of these terms and to terminate the USDC rewards program, or your participation in the program, at any time 
upon notice made in the same manner. 


5.3.4 Definitions. 


“USDC Rewards Rate” means the annual rate of rewards earned on a USDC wallet, which does not reflect compounding. The 
current USDC Rewards Rate can be found here. 


“USDC Rewards Annual Percentage Yield” or “APY” means the percentage rate reflecting the total amount of USDC Rewards 
earned, based on the then current USDC Rewards Rate and end of month compounding for a 365-day period. The current USDC 
Rewards Annual Percentage Yield can be found here and here. 


“Daily Balance Method” means the application of the daily periodic rate (derived from the APY) to the calendar day average of 
USDC held in your USDC wallet each day. 


“Day” means a UTC calendar day. 


5.4 Staking Services. When you hold Digital Currencies on Coinbase you may be given the option to “stake” these assets in a third 
party proof of stake network via staking services provided by Coinbase or an affiliate or a third party. In a proof of stake network, 
transaction validators are chosen using a formula based on the amount of underlying Digital Currency staked by the validator as 
opposed to computing power (i.e., proof of work). Please visit our staking information page for further details on how proof of 
stake works. Staking services are not available for Digital Currencies held on Coinbase Pro. 


5.4.1 Staking Service is Optional. Staking services may be made available to you by default for Digital Currencies where staking 
functionality is available on Coinbase. YOU ARE NOT REQUIRED TO STAKE WITH COINBASE AND YOU CAN OPT-OUT OF ANY 
DEFAULT COINBASE STAKING SERVICES AT ANY TIME THROUGH THE SETTINGS PAGE IN YOUR ACCOUNT. Unless otherwise 
specified, if you opt-out of staking services, you can opt back in at any time with immediate effect. 


5.4.2 The Service; Rewards; Commission; Limitations. (a) If you stake your assets with us, Coinbase, or one of its affiliates, will 
facilitate the staking of those assets on your behalf by acting as a transaction validator on the applicable network for the Digital 
Currency you stake. If Coinbase or an affiliate successfully validates a block of transactions in that Digital Currency, you may earn a 
reward granted by that Digital Currency’s network. Your reward will be determined by the protocols of the applicable network. 
Coinbase will distribute any earned rewards to you after receipt by Coinbase, minus a 25% commission. (b) Some Digital Currency 
networks subject staked assets to “slashing” if the transaction validator representing those assets incorrectly validates a transaction. 
Coinbase will use commercially reasonable efforts to ensure that your assets will not be slashed, but in the unlikely event they are, 
Coinbase will promptly replace your assets at no additional cost. Some Digital Currency networks require that a certain amount of 
staked assets be locked (restricted from sale or transfer) for a certain period of time while staking. Coinbase may also have 
additional sale or withdrawal limitations for particular staked assets if you are opted-in to staking. 


5.4.3 No Guarantee of Rewards. You have no right to a reward until it is received by Coinbase. Rewards will be distributed to your 
account promptly after they are received by Coinbase. Unless otherwise stated, Coinbase will use commercially reasonable efforts to 
stake any Digital Currencies for which you are using Coinbase staking services. Unless otherwise specified, the “staking rewards 
rate" disclosed by Coinbase for a particular Digital Currency is an annualized historical rate based on the staking rewards generated 
by Coinbase in providing staking services to Coinbase customers for that Digital Currency over the last 90 days. This rate is an 
estimate and changes over time. COINBASE DOES NOT GUARANTEE THAT YOU WILL RECEIVE STAKING REWARDS, ANY SPECIFIC 
STAKING REWARD, OR ANY STAKING RETURN OVER TIME, INCLUDING THE STAKING REWARDS RATES. 


5.4.4 Tax Treatment. The tax treatment of certain Digital Currency transactions is uncertain, and it is your responsibility to 
determine what taxes, if any, arise from these transactions. Users are solely responsible for reporting and paying any applicable 
taxes arising from staking through Coinbase staking services and all related transactions (e.g., any exchange or sale of your staked 
ETH), and acknowledge that Coinbase does not provide investment, legal, or tax advice to you in connection with such election to 
participate. You should conduct your own due diligence and consult your advisors before making any investment decision including 
whether to participate in staking and related transactions. 


5.4.5 Ethereum Staking. Supplemental to the terms outlined above, the following terms apply to staking your ETH through the 
Coinbase staking services. In the event of a conflict between the terms contained in this section and anything else in this 
Agreement, the terms in this section will govern: 


(a) Eligibility. Users who wish to stake ETH through Coinbase must meet certain requirements, as set forth here. These 
requirements are subject to change. 


(b) Lockup Period. If you choose to stake your ETH, your ETH will be pledged for staking and will become locked on the Ethereum 
protocol until Phase 1.5 of the Ethereum network upgrade is completed. Coinbase has no control over the duration of or end date 
for the lockup period, which will ultimately be determined by the success of the update to the Ethereum network. Unlike other 
staking services provided through Coinbase, you will be unable to “Opt Out” of ETH staking once you've staked your assets. 
Coinbase will not refund or replace any ETH you wish to unstake. Unless otherwise stated on the Coinbase interface, you will not be 
able to trade, transfer or otherwise access your staked ETH during the lockup period. 


(c) No Guarantee of Success of Network Upgrade. Coinbase makes no guarantees that the upgrade to the Ethereum network 
will be successful, and you understand that if the network upgrade ultimately fails, you may lose all, or a portion of, your staked 
ETH. Coinbase will not be responsible for any ETH lost due to a network upgrade failure. 


(d) Ethereum Staking Rewards. Any rewards earned while staking your ETH through Coinbase will, unless otherwise stated, 
remain locked onchain until Phase 1.5 of the Ethereum network upgrade is completed. ETH staking rewards reflected in your 
account prior to the completion of Phase 1.5 of the Ethereum network upgrade are an estimate based on a combination of reward 
rates and the period of time for which you've staked your ETH (minus any Coinbase fees). Rewards will be reflected in your 
account, but may not be actually credited until the end of the lockup period. Unless otherwise stated, you will not be able to trade, 
transfer, or otherwise access your ETH staking rewards during the lockup period. 


(e) Slashing Penalties. Staking ETH means your staked assets can be subject to “slashing” by the Ethereum network if the 
transaction validator representing those assets incorrectly validates a transaction. Coinbase will use commercially reasonable efforts 
to protect against slashing incidents: however, in the event of slashing, Coinbase will replace your assets so long as such penalties 
are not a result of: i) protocol-level failures caused by bugs, maintenance, upgrades, or general failure; ii) your acts or omissions; iii) 
acts or omissions of any third party service provider; iv) a force majeure event as defined in Section 9.11 of the User Agreement; v) 
acts by a hacker or other malicious actor; or vi) any other events outside of Coinbase’s reasonable control. 


(f) Liquidity. Coinbase may offer you the ability to exchange or sell your staked ETH prior to the completion of Phase 1.5 of the 
Ethereum network upgrade. Coinbase does not guarantee that the offering of any such option will result in a successful exchange 
or sale, and Coinbase will not backstop or otherwise intervene to guarantee liquidity. In the event that you take advantage of any 
offered ability to exchange or sell your staked ETH, Coinbase does not guarantee the value of your ETH principal or related 
rewards. Accessing your locked ETH may result in a loss of any rewards accrued until that point. Coinbase is not responsible for 


any decrease in the value of your staked ETH principal or any rewards associated with allowing you the ability to exchange or sell 
your staked ETH. 
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5.5 Advanced Trading. Coinbase offers and you may access an order book for various Digital Currency and Fiat Currency trading 
pairs (each an “Order Book") on the Coinbase Site ("Advanced Trading"). See your Coinbase Account to see what Order Books are 
available within Advanced Trading. Coinbase does not offer Advanced Trading to customers in all jurisdictions. By accessing 
Advanced Trading or the Coinbase API for Advanced Trading, you accept and agree to be bound by the Trading Rules. 


5.6 Direct Deposit. If you are eligible for our Direct Deposit feature ("Direct Deposit"), and we have verified your required 
identifying information, you may arrange to have all or part of your paycheck or any eligible federal or state government benefit or 
payment (e.g., federal or state tax refunds or Social Security payments) transferred into your Coinbase Account by your employer or 
government payer, as applicable. You may select whether you want such funds to be transferred into your Coinbase Account as U.S. 
Dollars or a Digital Currency available for Direct Deposit. Not all Digital Currencies may be available for Direct Deposit. 


5.6.1 Direct Deposit Enrollment. You can enroll by using our automated feature which links directly to your payroll provider or 
you can provide your employer, payroll provider or the government payer with the account and routing numbers we provide to 
you. We will also provide you with a direct deposit form that you may give to your employer by way of PDF file that can be saved 
or emailed to your personal email address or your human resources or payroll department. The account and routing numbers we 
provide to you do not represent a bank account on your behalf. Upon enrollment, you must select the amount of your paycheck 
you would like deposited to your Coinbase Account and select the currency you would like the amount deposited or converted to. 
We do not charge any fees to set up or maintain Direct Deposit and we will waive the Coinbase trading fee but will include a spread 
to exchange your Direct Deposit funds to a Digital Currency (see pricing and fee disclosures for more information). You are 
responsible for any fees associated with subsequent conversion or transfer of Digital Currencies. 


5.6.2 Coinbase Card. In order to utilize Direct Deposit, you must have a Coinbase Visa Card (“Coinbase Card”). The Coinbase Card 
is governed by the Cardholder Agreement with MetaBank National Association ("MetaBank") and this User Agreement (see 
Appendix 5 for Coinbase Card User Terms which details how to use the card and the fees that apply for USD and Digital Currency 
transactions). If you do not already have a Coinbase Card, as part of the Direct Deposit application and enrollment process, you will 
automatically be considered for, and if approved, granted a Coinbase Card at no cost to you. The Coinbase Card is a debit card 
linked to your Digital Currency Wallet and USD Wallet. 


5.6.3 Transfer Limits. You may not deposit more than $10,000 per day using Direct Deposit. We reserve the right to accept, reject 
or limit transfers via Direct Deposit in our and MetaBank’s sole discretion. 


5.6.4 Funds Availability and Conversion. Funds added to your account via Direct Deposit are transferred to and held by 
MetaBank. The availability of your Direct Deposit funds is subject to the timing of your payer's funding processes. Funds transferred 
via Direct Deposit will typically be available 3-5 business days (excluding Federal holidays) from the day your payer initiated the 
deposit. Because we do not receive funds via Direct Deposit instantly, there will be some delay between the payment being initiated 
by the payer and the payment arriving in your Coinbase Account. There may also be a delay depending on the third party payroll 
provider. 


If you elect to receive your Direct Deposit funds in the form of a Digital Currency, then upon confirmation from MetaBank that your 
funds have arrived, we will convert your funds from USD to your selected Digital Currency at the Exchange Rate at the time of such 
conversion and deposit into your Coinbase Account. You understand that your acquired Digital Currencies are exposed to 
exchange rate risk such that your Digital Currency holdings may either appreciate or depreciate in value relative to USD. 


5.6.5 Cancellation of Direct Deposit. If you wish to cancel Direct Deposits, change your deposit allocation to 0% within your 
Coinbase Account management settings. 


5.6.6 Transaction History. You may review your transaction history on the Coinbase Site to verify that each Direct Deposit has 
been received. 


5.6.7 Personal Information. If you enroll in Direct Deposit, you will be required to provide certain personal information. You 
agree that we may share personal information you previously provided to us under our Privacy Policy to verify your identity or 
address, with MetaBank National Association ("MetaBank"), and with service providers acting on our behalf or on MetaBank's behalf 
solely to verify your identity or address, and/or to manage risk as required under applicable law. Personal information shared with 
MetaBank will be treated in accordance with its Privacy Policy. Personal information that you direct us to share with a third-party 
for purposes of obtaining certain functionality in Direct Deposit will be treated in accordance with the third-party’s privacy policy, 
and Coinbase is not liable for any damages, losses, or liability associated with the third-party’s services or use, transfer, or storage of 
your personal information. If you do not provide this information, or if MetaBank is unable to verify your identity or address with 
the information provided by Coinbase, you may not be enrolled in Direct Deposit. 


5.6.8. Breach of User Agreement. We reserve the right to refuse to facilitate the processing of your application through 
MetaBank or terminate your access to Direct Deposit for any reason. 


5.6.9. Representations and Warranties. |n order to assist in the prevention of fraud you represent and warrant the following in 
connection with your Direct Deposit: 


@ In connection with tax refunds (i) the name and Social Security Number associated with each refund payment will match the 
name and Social Security Number associated with your Coinbase Account; and (ii) in the case of joint tax returns, the name of 
the first person listed in the tax return and their Social Security Number associated with the refund payment will be the name 
and Social Security Number of the Coinbase Account holder. 


@ In connection with other federal payments, the name and Social Security Number associated with each payment will match the 
name or Social Security Number associated with your Coinbase Account. 


6. Data Protection and Security 


6.1. Personal Data. You acknowledge that we may process personal data in relation to you (if you are an individual), and personal 
data that you have provided or in the future provide to us in relation to your employees and other associated or other individuals, 
in connection with this Agreement, or the Coinbase Services. Accordingly, you represent and warrant that: (i) your disclosure to us 
of any personal data relating to individuals other than yourself was or will be made in accordance with all applicable data 
protection and data privacy laws, and those data are accurate, up to date and relevant when disclosed; (ii) before providing any 
such personal data to us, you have read and understood our Privacy Policy, which is available here, and, in the case of personal data 
relating to an individual other than yourself, have (or will at the time of disclosure have) provided a copy of that Privacy Policy (as 
amended from time to time), to that individual; and (iii) if from time to time we provide you with a replacement version of 

the Privacy Policy, you will promptly read that notice and provide a copy to any individual whose personal data you have provided 
to us. 


6.2. Security Breach. If you suspect that your Coinbase Account or any of your security details have been compromised, or if you 
become aware of any fraud or attempted fraud or any other security incident (including a cyber-security attack) affecting you and / 
or Coinbase (together a "Security Breach"), you must notify Coinbase Support as soon as possible by email free of charge 

at https://support.coinbase.com or by calling us at +1 (888) 908 7930 and continue to provide accurate and up to date information 
throughout the duration of the Security Breach. You must take any steps that we reasonably require to reduce, manage or report 
any Security Breach. Failure to provide prompt notification of any Security Breach may be taken into account in our determination 
of the appropriate resolution of the matter. 


7. General Use, Prohibited Use, Death of Account Holder and Termination 
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access and use the Coinbase Services, Coinbase Site, and related content, materials, information (collectively, the "Content") solely 
for purposes approved by Coinbase from time to time. Any other use of the Coinbase Site or Content is expressly prohibited and all 
other right, title, and interest in the Coinbase Services, Coinbase Site or Content is exclusively the property of Coinbase and its 
licensors. You agree you will not copy, transmit, distribute, sell, license, reverse engineer, modify, publish, or participate in the 
transfer or sale of, create derivative works from, or in any other way exploit any of the Content, in whole or in part without the prior 
written consent of Coinbase. “Coinbase.com", "Coinbase", “Coinbase Pro", and all logos related to the Coinbase Services or 
displayed on the Coinbase Site are either trademarks or registered marks of Coinbase or its licensors. You may not copy, imitate or 
use them without Coinbase's prior written consent. 


7.2. Website Accuracy. Although we intend to provide accurate and timely information on the Coinbase Site, the Coinbase Site 
(including, without limitation, the Content) may not always be entirely accurate, complete or current and may also include technical 
inaccuracies or typographical errors. In an effort to continue to provide you with as complete and accurate information as possible, 
information may be changed or updated from time to time without notice, including without limitation information regarding our 
policies, products and services. Accordingly, you should verify all information before relying on it, and all decisions based on 
information contained on the Coinbase Site are your sole responsibility and we shall have no liability for such decisions. Information 
provided by third parties, including historical price and supply data for Digital Currencies, is for informational purposes only and 
Coinbase makes no representations or warranties to its accuracy. Links to third-party materials (including without limitation 
websites) may be provided as a convenience but are not controlled by us. You acknowledge and agree that we are not responsible 
for any aspect of the information, content, or services contained in any third-party materials or on any third-party sites accessible or 
linked to the Coinbase Site, 


7.3. Promotions. From time to time, Coinbase may make available special offers or conduct promotions for qualifying customers. 
Subject to applicable laws, Coinbase or the issuer of a Digital Currency subject to an offer or promotion may establish qualifying 
criteria to participate in any special promotion its sole discretion. Coinbase may revoke any special offer at any time without notice. 
Once Digital Currency has been deposited in a user's Digital Currency Wallet, that Digital Currency becomes the property of the 
Coinbase user with all applicable property rights, including those noted in Section 2.2 of this Agreement. Coinbase shall have no 
obligation to make special offers available to all customers. Coinbase makes no recommendation and does not provide any advice 
about the value or utility of any Digital Currency subject to a promotion. 


7.3.1. New User Incentives. Coinbase’s New User Incentives are available exclusively to new users who have not previously verified 
their ID. New User Incentives will appear in a new user's account following Coinbase’s verification of such user's identification. 
Coinbase will verify a user's identification based on its internal guidelines and governing regulations, in its sole discretion. New User 
Incentives are subject to the user agreement and are not guaranteed, even upon successful verification of a user's identification. 
New users who were referred to Coinbase through the Referral Program or who have previously opened an account using different 
contact information are ineligible to receive New User Incentives. Coinbase may update the conditions for eligibility at any time, in 
its sole discretion. 


7.4. Third-Party Applications. If, to the extent permitted by Coinbase from time to time, you grant express permission to a third 
party to access or connect to your Coinbase Account(s), either through the third party's product or service or through the Coinbase 
Site, you acknowledge that granting permission to a third party to take specific actions on your behalf does not relieve you of any 
of your responsibilities under this Agreement. You are fully responsible for all acts or omissions of any third party with access to 
your Coinbase Account(s). Further, you acknowledge and agree that you will not hold Coinbase responsible for, and will indemnify 
Coinbase from, any liability arising out of or related to any act or omission of any third party with access to your Coinbase 
Account(s). You may change or remove permissions granted by you to third parties with respect to your Coinbase Account(s) at any 
time through the tabs on the Account Settings page on the Coinbase Site. 


7.5. Prohibited Use. In connection with your use of the Coinbase Services, and your interactions with other users, and third parties 
you agree and represent you will not engage in any Prohibited Business or Prohibited Use defined herein. We reserve the right at all 
times to monitor, review, retain and/or disclose any information as necessary to satisfy any applicable law, regulation, sanctions 
programs, legal process or governmental request. We reserve the right to cancel and/or suspend your Coinbase Account(s) and/or 
block transactions or freeze funds immediately and without notice if we determine, in our sole discretion, that your Account is 
associated with a Prohibited Use and/or a Prohibited Business. 


7.6. Transaction Limits. The use of all Coinbase Services is subject to a limit on the amount of volume, stated in U.S. Dollar terms, 
you may transact or transfer in a given period (e.g., daily). To view your limits, login to your Coinbase Account(s)(s) and 

visit https://www.coinbase.com/verifications. Your transaction limits may vary depending on your payment method, verification 
steps you have completed, and other factors. Coinbase reserves the right to change applicable limits as we deem necessary in our 
sole discretion. If you wish to raise your limits beyond the posted amounts, you may submit a request 

at https://support.coinbase.com. We may require you to submit additional information about yourself or your business, provide 
records, and arrange for meetings with Coinbase staff (such process, "Enhanced Due Diligence"). Coinbase reserves the right to 
charge you costs and fees associated with Enhanced Due Diligence, provided that we notify you in advance of any such charges 
accruing. In our sole discretion, we may refuse to raise your limits or we may lower your limits at a subsequent time even if you 
have completed Enhanced Due Diligence. 


7.7. Suspension, Termination, and Cancellation. Coinbase may: (a) suspend, restrict, or terminate your access to any or all of the 
Coinbase Services, and/or (b) deactivate or cancel your Coinbase Account(s) if: (i) we are so required by a facially valid subpoena, 
court order, or binding order of a government authority; (ii) we reasonably suspect you of using your Coinbase Account(s) in 
connection with a Prohibited Use or Business; (iii) use of your Coinbase Account(s) is subject to any pending litigation, investigation, 
or government proceeding and/or we perceive a heightened risk of legal or regulatory non-compliance associated with your 
Account activity; (iv) our service partners are unable to support your use; (v) you take any action that Coinbase deems as 
circumventing Coinbase's controls, including, but not limited to, opening multiple Coinbase Accounts or abusing promotions which 
Coinbase may offer from time to time; or (vi) you breach our Behavior Policy. 


If Coinbase suspends or closes your account, or terminates your use of Coinbase Services for any reason, we will provide you with 
notice of our actions unless a court order or other legal process prohibits Coinbase from providing you with such notice. You 
acknowledge that Coinbase's decision to take certain actions, including limiting access to, suspending, or closing your account, may 
be based on confidential criteria that are essential to Coinbase's risk management and security protocols. You agree that Coinbase 
is under no obligation to disclose the details of its risk management and security procedures to you. 


You will be permitted to transfer Digital Currency or funds associated with your Hosted Digital Currency Wallet(s) and/or your USD 
Wallet(s) for ninety (90) days after Account deactivation or cancellation unless such transfer is otherwise prohibited (i) under the 
law, including but not limited to applicable sanctions programs, or (ii) by a facially valid subpoena or court order. You may cancel 
your Coinbase Account(s) at any time by withdrawing all balances and visiting https://www.coinbase.com/settings/cancel. You will 
not be charged for canceling your Coinbase Account(s), although you will be required to pay any outstanding amounts owed to 
Coinbase. You authorize us to cancel or suspend any pending transactions at the time of cancellation. 


7.8. Death of Account Holder. For security reasons, if we receive legal documentation confirming your death or other information 
leading us to believe you have died, we will freeze your Coinbase Account and during this time, no transactions may be completed 
until:(i) your designated fiduciary has opened a new Coinbase Account, as further described below, and the entirety of your 
Coinbase Account has been transferred to such new account, or (ii) we have received proof in a form satisfactory to us that you 
have not died. If we have reason to believe you may have died but we do not have proof of your death in a form satisfactory to us, 
you authorize us to make inquiries, whether directly or through third parties, that we consider necessary to ascertain whether you 
have died. Upon receipt by us of proof satisfactory to us that you have died, the fiduciary you have designated in a valid Will or 
similar testamentary document will be required to open a new Coinbase Account. If you have not designated a fiduciary, then we 
reserve the right to (i) treat as your fiduciary any person entitled to inherit your Coinbase Account, as determined by us upon 
receipt and review of the documentation we, in our sole and absolute discretion, deem necessary or appropriate, including (but not 
limited to) a Will, a living trust or a Small Estate Affidavit, or (ii) require an order designating a fiduciary from a court having 
competent jurisdiction over your estate. In the event we determine, in our sole and absolute discretion, that there is uncertainty 
regarding the validity of the fiduciary designation, we reserve the right to require an order resolving such issue from a court of 
competent jurisdiction before taking any action relating to your Coinbase Account. Pursuant to the above, the opening of a new 
Coinbase Account by a designated fiduciary is mandatory following the death of a Coinbase Account owner, and you hereby agree 
that your fiduciary will be required to open a new Coinbase Account and provide the information required under Section 2 of this 
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7.9. Unclaimed Property. If Coinbase is holding funds (whether fiat currency or Digital Currency) in your account, and Coinbase is 
unable to contact you and has no record of your use of the Services for several years, applicable law may require Coinbase to report 
these funds (including fiat currency and Digital Currency) as unclaimed property to the applicable jurisdiction. If this occurs, 
Coinbase will try to locate you at the address shown in our records, but if Coinbase is unable to locate you, it may be required to 
deliver any such funds to the applicable state or jurisdiction as unclaimed property. 


7.10. Relationship of the Parties. Coinbase is an independent contractor for all purposes. Nothing in this Agreement shall be 
deemed or is intended to be deemed, nor shall it cause, you and Coinbase to be treated as partners, joint ventures, or otherwise as 
joint associates for profit, or either you or Coinbase to be treated as the agent of the other. 


7.11. Privacy of Others; Marketing. If you receive information about another user through the Coinbase Services, you must keep 
the information confidential and only use it in connection with the Coinbase Services. You may not disclose or distribute a user's 
information to a third party or use the information except as reasonably necessary to effectuate a transaction and other functions 
reasonably incidental thereto such as support, reconciliation and accounting unless you receive the user's express consent to do so. 
You may not send unsolicited email to a user through the Coinbase Services. 


7.12. Password Security; Contact Information. You are responsible for creating a strong password and maintaining adequate 
security and control of any and all IDs, passwords, hints, personal identification numbers (PINs), API keys or any other codes that 
you use to access the Coinbase Services. Any loss or compromise of the foregoing information and/or your personal information 
may result in unauthorized access to your Coinbase Account(s) by third-parties and the loss or theft of any Digital Currency and/or 
funds held in your Coinbase Account(s) and any associated accounts, including your linked bank account(s) and credit card(s). You 
are responsible for keeping your email address and telephone number up to date in your Account Profile in order to receive any 
notices or alerts that we may send you. You should never allow remote access or share your computer screen with someone 
else when you are logged on to your Coinbase Account. Coinbase will never under any circumstances ask you for your IDs, 
passwords, or 2-factor authentication codes. We assume no responsibility for any loss that you may sustain due to 
compromise of account login credentials due to no fault of Coinbase and/or failure to follow or act on any notices or alerts 
that we may send to you. In the event you believe your Coinbase Account(s) information has been compromised, contact 
Coinbase Support immediately at https://support.coinbase.com, or report your claim by phone at (888) 908-7930. 


7.13. Developer Tools. If you use developer features of the Services, including but not limited to Coinbase Connect (OAuth2) and 
any other resources or services available at https://developers.coinbase.com/ (the “Developer Services’), you must separately 
agree to our Developer Agreement upon registering your application with Coinbase. 


7.14. Taxes. It is your sole responsibility to determine whether, and to what extent, any taxes apply to any transactions you conduct 
through the Coinbase Services, and to withhold, collect, report and remit the correct amounts of taxes to the appropriate tax 
authorities. Your transaction history is available through your Coinbase Account(s). 


7.15. No Investment Advice or Brokerage. For the avoidance of doubt, Coinbase does not provide investment, tax, or legal 
advice, nor does Coinbase broker trades on your behalf. All Coinbase trades are executed automatically, based on the parameters 
of your order instructions and in accordance with posted Trade execution procedures, and you are solely responsible for 
determining whether any investment, investment strategy or related transaction is appropriate for you based on your personal 
investment objectives, financial circumstances and risk tolerance. You should consult your legal or tax professional regarding your 
specific situation. Coinbase may provide educational information about Supported Digital Currency, as well as Digital Currency not 
supported by Coinbase, in order to assist users in learning more about such Digital Currency. Information may include, but is not 
limited to, blog posts, articles, links to to third-party content, news feeds, tutorials, and videos. The information provided on this 
website or any third-party sites does not constitute investment advice, financial advice, trading advice, or any other sort of advice, 
and you should not treat any of the website's content as such. Coinbase does not recommend that any Digital Currency should be 
bought, earned, sold, or held by you. Before making the decision to buy, sell or hold any Digital Currency, you should conduct your 
own due diligence and consult your financial advisors before making any investment decision. Coinbase will not be held responsible 
for the decisions you make to buy, sell, or hold Digital Currency based on the information provided by Coinbase. 


8. Customer Feedback, Queries, Complaints, and Dispute Resolution 


8.1. Contact Coinbase. If you have feedback, or general questions, contact us via our Customer Support webpage 
at https://support.coinbase.com. When you contact us please provide us with your name, address, and any other information we 
may need to identify you, your Coinbase Account(s), and the transaction on which you have feedback or questions. 


If you believe your account has been compromised, you may also report your claim by calling (888) 908-7930. Coinbase requires 
that all legal documents (including civil subpoenas, complaints, and small claims) be served on our registered agent for service of 
process. Current contact information for our registered agent in each state can be found here. 


Please note that our registered agent will accept service only if the entity identified as the recipient of the document is identical to 
the entity registered with the Secretary of State and for which our registered agent is authorized to accept service. By accepting 
service of a legal document, Coinbase does not waive any objections we may have and may raise in response to such document. 


8.2. Formal Complaint Process. If you have a dispute with Coinbase (a “Complaint”), you agree to contact Coinbase through our 
support team to attempt to resolve any such dispute amicably. If we cannot resolve the dispute through the Coinbase support 
team, you and we agree to use the Formal Complaint Process set forth below. You agree to use this process before filing any 
arbitration claim or small claims action. If you do not follow the procedures set out in this Section before filing an arbitration claim 
or suit in small claims court, we shall have the right to ask the arbitrator or small claims court to dismiss your filing unless and until 
you complete the following steps. 


8.2.1. Procedural Steps. In the event that your dispute with Coinbase is not resolved through your contact with Coinbase Support, 
you agree to use our Complaint form to describe your Complaint, how you would like us to resolve the Complaint, and any other 
information related to your dispute that you believe to be relevant. The Complaint form can be found on the Coinbase support 
pages, https://support.coinbase.com or can be requested from Coinbase Customer Support. If you would prefer to send a written 
complaint, please include as much information as possible, including your support case number and any other information related 
to your dispute that you believe to be relevant, and post to Coinbase Inc., 82 Nassau St #61234, New York, NY 10038 


8.2.2. Coinbase Response. We will acknowledge receipt of your Complaint form after you submit it. A Coinbase customer relations 
agent ("Agent") will review your Complaint. The Agent will evaluate your Complaint based on the information you have provided 
and information in the possession of Coinbase. Within 15 business days of our receipt of your Complaint form, the Agent will 
address the issues raised in your Complaint form by sending you an e-mail ("Resolution Notice") in which the Agent will: (i) offer to 
resolve your complaint in the way you requested; (ii) make a determination rejecting your Complaint and set out the reasons for the 
rejection; or (iii) offer to resolve your Complaint with an alternative solution. In exceptional circumstances, if the Agent is unable to 
respond to your Complaint within 15 business days for reasons beyond Coinbase's control, the Agent will send you a 
communication indicating the reasons for any delay in answering your Complaint, and specifying the deadline by which the Agent 
will respond to your Complaint, which will be no later than 35 business days from our receipt of your Complaint form. 


8.3. Arbitration; Waiver of Class Action. If we cannot resolve the dispute through the Formal Complaint Process, you and 
we agree that any dispute arising out of or relating to this Agreement or the Coinbase Services, including, without 
limitation, federal and state statutory claims, common law claims, and those based in contract, tort, fraud, 
misrepresentation, or any other legal theory, shall be resolved through binding arbitration, on an individual basis (the 
“Arbitration Agreement”). Subject to applicable jurisdictional requirements, you may elect to pursue your claim in your 
local small claims court rather than through arbitration so long as your matter remains in small claims court and proceeds 
only on an individual (non-class and non-representative) basis. Arbitration shall be conducted in accordance with the 


American Arbitration Association's rules for arbitration of consumer-related disputes (accessible 
at https://www.adr.org/sites/default/files/Consumer%20Rules.pdf). 
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This Arbitration Agreement includes, without limitation, disputes arising out of or related to the interpretation or 
application of the Arbitration Agreement, including the enforceability, revocability, scope, or validity of the Arbitration 
Agreement or any portion of the Arbitration Agreement. All such matters shall be decided by an arbitrator and not by a 
court or judge. 


CLASS ACTION WAIVER: TO THE EXTENT PERMISSIBLE BY LAW, ALL CLAIMS MUST BE BROUGHT IN A PARTY'S 
INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, COLLECTIVE ACTION, 
OR REPRESENTATIVE PROCEEDING (COLLECTIVELY “CLASS ACTION WAIVER”). THE ARBITRATOR MAY NOT CONSOLIDATE 
MORE THAN ONE PERSON'S CLAIMS OR ENGAGE IN ANY CLASS ARBITRATION. YOU ACKNOWLEDGE THAT, BY AGREEING 
TO THESE TERMS, YOU AND COINBASE ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY AND THE RIGHT TO 
PARTICIPATE IN A CLASS ACTION. 


The arbitration will be conducted by a single, neutral arbitrator and shall take place in the county or parish in which you reside, or 
another mutually agreeable location, in the English language. The arbitrator may award any relief that a court of competent 
jurisdiction could award and the arbitral decision may be enforced in any court. An arbitrator's decision and judgment thereon will 
not have a precedential or collateral estoppel effect. At your request, hearings may be conducted in person or by telephone and the 
arbitrator may provide for submitting and determining motions on briefs, without oral hearings. To the extent permitted by law, the 
prevailing party in any action or proceeding to enforce this Agreement, any arbitration pursuant to this Agreement, or any small 
claims action shall be entitled to costs and attorneys' fees. If the arbitrator or arbitration administrator would impose filing fees or 
other administrative costs on you, we will reimburse you, upon request, to the extent such fees or costs would exceed those that 
you would otherwise have to pay if you were proceeding instead in a court. We will also pay additional fees or costs if required to 
do so by the arbitration administrator's rules or applicable law. 


9. General Provisions 


9.1. Computer Viruses. We shall not bear any liability, whatsoever, for any damage or interruptions caused by any computer 
viruses or other malicious code that may affect your computer or other equipment, or any phishing, spoofing or other attack. We 
advise the regular use of a reputable and readily available virus screening and prevention software. You should also be aware that 
SMS and email services are vulnerable to spoofing and phishing attacks and should use care in reviewing messages purporting to 
originate from Coinbase. Always log into your Coinbase Account(s) through the Coinbase Site to review any transactions or 
required actions if you have any uncertainty regarding the authenticity of any communication or notice. 


9.2. Release of Coinbase; Indemnification. If you have a dispute with one or more users of the Coinbase Services, you release 
Coinbase, its affiliates and service providers, and each of their respective officers, directors, agents, joint venturers, employees and 
representatives from any and all claims, demands and damages (actual and consequential) of every kind and nature arising out of 
or in any way connected with such disputes. You agree to indemnify and hold Coinbase, its affiliates and Service Providers, and each 
of its or their respective officers, directors, agents, joint venturers, employees and representatives, harmless from any claim or 
demand (including attorneys’ fees and any fines, fees or penalties imposed by any regulatory authority) arising out of or related to 
your breach of this Agreement or your violation of any law, rule or regulation, or the rights of any third party. 


9.3. Limitation of Liability; No Warranty. IN NO EVENT SHALL COINBASE, ITS AFFILIATES AND SERVICE PROVIDERS, OR ANY OF 
HEIR RESPECTIVE OFFICERS, DIRECTORS, AGENTS, JOINT VENTURERS, EMPLOYEES OR REPRESENTATIVES, BE LIABLE (A) FOR ANY 
AMOUNT GREATER THAN THE VALUE OF THE SUPPORTED DIGITAL CURRENCY ON DEPOSIT IN YOUR COINBASE ACCOUNT(S) OR 
(B) FOR ANY LOST PROFITS, DIMINUTION IN VALUE OR BUSINESS OPPORTUNITY, ANY LOSS, DAMAGE, CORRUPTION OR BREACH 
OF DATA OR ANY OTHER INTANGIBLE PROPERTY OR ANY SPECIAL, INCIDENTAL, INDIRECT, INTANGIBLE, OR CONSEQUENTIAL 
DAMAGES, WHETHER BASED IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, ARISING OUT OF OR IN 
CONNECTION WITH AUTHORIZED OR UNAUTHORIZED USE OF THE COINBASE SITE OR THE COINBASE SERVICES, OR THIS 
AGREEMENT, EVEN IF AN AUTHORIZED REPRESENTATIVE OF COINBASE HAS BEEN ADVISED OF OR KNEW OR SHOULD HAVE 
KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY 
OF ITS ESSENTIAL PURPOSE, EXCEPT TO THE EXTENT OF A FINAL JUDICIAL DETERMINATION THAT SUCH DAMAGES WERE A 
RESULT OF COINBASE'S GROSS NEGLIGENCE, FRAUD, WILLFUL MISCONDUCT OR INTENTIONAL VIOLATION OF LAW. THIS MEANS, 
BY WAY OF EXAMPLE ONLY (AND WITHOUT LIMITING THE SCOPE OF THE PRECEDING SENTENCE), THAT IF YOU CLAIM THAT 
COINBASE FAILED TO PROCESS A BUY OR SELL TRANSACTION PROPERLY, YOUR DAMAGES ARE LIMITED TO NO MORE THAN THE 
VALUE OF THE SUPPORTED DIGITAL CURRENCY AT ISSUE IN THE TRANSACTION, AND THAT YOU MAY NOT RECOVER FOR LOST 
PROFITS, LOST BUSINESS OPPORTUNITIES, DIMINUTION IN VALUE OR OTHER TYPES OF SPECIAL, INCIDENTAL, INDIRECT, 
NTANGIBLE, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES IN EXCESS OF THE VALUE OF THE SUPPORTED DIGITAL 
CURRENCY AT ISSUE IN THE TRANSACTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
NCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 


HE COINBASE SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT ANY REPRESENTATION OR 
WARRANTY, WHETHER EXPRESS, IMPLIED OR STATUTORY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, COINBASE 
SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE 
AND/OR NON-INFRINGEMENT. COINBASE DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES THAT ACCESS TO THE SITE, 
ANY PART OF THE COINBASE SERVICES, OR ANY OF THE MATERIALS CONTAINED THEREIN, WILL BE CONTINUOUS, 
UNINTERRUPTED, TIMELY, OR ERROR-FREE. COINBASE DOES NOT GUARANTEE THAT ANY ORDER WILL BE EXECUTED, ACCEPTED, 
RECORDED OR REMAIN OPEN. EXCEPT FOR THE EXPRESS STATEMENTS SET FORTH IN THIS AGREEMENT, YOU HEREBY 
ACKNOWLEDGE AND AGREE THAT YOU HAVE NOT RELIED UPON ANY OTHER STATEMENT OR UNDERSTANDING, WHETHER 
WRITTEN OR ORAL, WITH RESPECT TO YOUR USE AND ACCESS OF THE COINBASE SERVICES AND COINBASE SITE. WITHOUT 
LIMITING THE FOREGOING, YOU HEREBY UNDERSTAND AND AGREE THAT COINBASE WILL NOT BE LIABLE FOR ANY LOSSES OR 
DAMAGES ARISING OUT OF OR RELATING TO: (A) ANY INACCURACY, DEFECT OR OMISSION OF DIGITAL CURRENCY PRICE DATA, 
(B) ANY ERROR OR DELAY IN THE TRANSMISSION OF SUCH DATA, OR (C) INTERRUPTION IN ANY SUCH DATA. 


i 


Coinbase makes no representations about the accuracy, order, timeliness or completeness of historical Digital Currency price data 
available on the Coinbase Site. Coinbase will make reasonable efforts to ensure that requests for electronic debits and credits 
involving bank accounts, credit cards, and check issuances are processed in a timely manner but Coinbase makes no 
representations or warranties regarding the amount of time needed to complete processing which is dependent upon many factors 
outside of our control. 


IF YOU ARE A NEW JERSEY RESIDENT, the provisions of this Section 9.3 are intended to apply only to the extent permitted under 
New Jersey law. 


9.4. Entire Agreement. This Agreement, the Privacy Policy, E-Sign Consent, and Appendices incorporated by reference herein 
comprise the entire understanding and agreement between you and Coinbase as to the subject matter hereof, and supersedes any 
and all prior discussions, agreements and understandings of any kind (including without limitation any prior versions of this 
Agreement), and every nature between and among you and Coinbase. Section headings in this Agreement are for convenience only 
and shall not govern the meaning or interpretation of any provision of this Agreement. 


9.5. Amendments. We may amend or modify this Agreement by posting on the Coinbase Site or emailing to you the revised 
Agreement, and the revised Agreement shall be effective at such time. If you do not agree with any such modification, your sole 
and exclusive remedy is to terminate your use of the Services and close your account. You agree that we shall not be liable to you 
or any third party for any modification or termination of the Coinbase Services, or suspension or termination of your access to the 
Coinbase Services, except to the extent otherwise expressly set forth herein. If the revised Agreement includes a material change, 
we will endeavor to provide you advanced notice via our website and/or email before the material change becomes effective. 


9.6. Assignment. You may not assign any rights and/or licenses granted under this Agreement. We reserve the right to assign our 
rights without restriction, including without limitation to any Coinbase affiliates or subsidiaries, or to any successor in interest of any 
business associated with the Coinbase Services. Any attempted transfer or assignment in violation hereof shall be null and void. 
Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their successors and permitted assigns. 


9.7. Severability. If any provision of this Agreement shall be determined to be invalid or unenforceable under any rule, law, or 
to eat 7 a 
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provision of this Agreement shall not be affected. 


9.8. Change of Control. In the event that Coinbase is acquired by or merged with a third party entity, we reserve the right, in any 
of these circumstances, to transfer or assign the information we have collected from you as part of such merger, acquisition, sale, or 
other change of control. 


9.9. Survival. All provisions of this Agreement which by their nature extend beyond the expiration or termination of this 
Agreement, including, without limitation, sections pertaining to suspension or termination, Coinbase Account cancellation, debts 
owed to Coinbase, general use of the Coinbase Site, disputes with Coinbase, and general provisions, shall survive the termination or 
expiration of this Agreement. 


9.10. Governing Law. You agree that the laws of the State of California, without regard to principles of conflict of laws, will govern 
this Agreement and any claim or dispute that has arisen or may arise between you and Coinbase, except to the extent governed by 
federal law. 


9.11. Force Majeure. We shall not be liable for delays, failure in performance or interruption of service which result directly or 
indirectly from any cause or condition beyond our reasonable control, including but not limited to, significant market volatility, any 
delay or failure due to any act of God, act of civil or military authorities, act of terrorists, civil disturbance, war, strike or other labor 
dispute, fire, interruption in telecommunications or Internet services or network provider services, failure of equipment and/or 
software, other catastrophe or any other occurrence which is beyond our reasonable control and shall not affect the validity and 
enforceability of any remaining provisions. 


9.12. Non-Waiver of Rights. This agreement shall not be construed to waive rights that cannot be waived under applicable state 
money transmission laws in the state where you are located. 


APPENDIX 1: Prohibited Use, Prohibited Businesses and Conditional Use 
Prohibited Use 


You may not use your Coinbase Account(s) to engage in the following categories of activity ("Prohibited Uses"). The specific types 
of use listed below are representative, but not exhaustive. If you are uncertain as to whether or not your use of Coinbase Services 
involves a Prohibited Use, or have questions about how these requirements apply to you, please contact us 

at https://support.coinbase.com. By opening a Coinbase Account, you confirm that you will not use your Account to do any of the 
following: 


@ Unlawful Activity: Activity which would violate, or assist in violation of, any law, statute, ordinance, or regulation, sanctions 
programs administered in the countries where Coinbase conducts business, including but not limited to the U.S. Department of 
Treasury's Office of Foreign Assets Control ("OFAC"), or which would involve proceeds of any unlawful activity; publish, 
distribute or disseminate any unlawful material or information 


®@ Abusive Activity: Actions which impose an unreasonable or disproportionately large load on our infrastructure, or 
detrimentally interfere with, intercept, or expropriate any system, data, or information; transmit or upload any material to the 
Coinbase Site that contains viruses, trojan horses, worms, or any other harmful or deleterious programs; attempt to gain 
unauthorized access to the Coinbase Site, other Coinbase Accounts, computer systems or networks connected to the Coinbase 
Site, through password mining or any other means; use Coinbase Account information of another party to access or use the 
Coinbase Site, except in the case of specific Merchants and/or applications which are specifically authorized by a user to access 
such user's Coinbase Account and information; or transfer your account access or rights to your account to a third party, unless 
by operation of law or with the express permission of Coinbase. 


@ Abuse Other Users: Interfere with another individual's or entity's access to or use of any Coinbase Services; defame, abuse, 
extort, harass, stalk, threaten or otherwise violate or infringe the legal rights (such as, but not limited to, rights of privacy, 
publicity and intellectual property) of others; harvest or otherwise collect information from the Coinbase Site about others, 
including without limitation email addresses, without proper consent 


@ Fraud: Activity which operates to defraud Coinbase, Coinbase users, or any other person; provide any false, inaccurate, or 
misleading information to Coinbase 


@ Unlawful Gambling: Lotteries; bidding fee auctions; sports forecasting or odds making; fantasy sports leagues with cash prizes; 
internet gaming; contests; sweepstakes; or games of chance that are not sanctioned by a governmental body or regulatory 
authority 


@ Intellectual Property Infringement: Engage in transactions involving items that infringe or violate any copyright, trademark, 
right of publicity or privacy or any other proprietary right under the law, including but not limited to sales, distribution, or 
access to counterfeit music, movies, software, or other licensed materials without the appropriate authorization from the rights 
holder; use of Coinbase intellectual property, name, or logo, including use of Coinbase trade or service marks, without express 
consent from Coinbase or in a manner that otherwise harms Coinbase or the Coinbase brand; any action that implies an untrue 
endorsement by or affiliation with Coinbase 


Prohibited Businesses 


In addition to the Prohibited Uses described above, the following categories of businesses, business practices, and sale items are 
barred from Coinbase Services ("Prohibited Businesses"). Most Prohibited Businesses categories are imposed by Card Network rules 
or the requirements of our banking providers or processors. The specific types of use listed below are representative, but not 
exhaustive. If you are uncertain as to whether or not your use of Coinbase Services involves a Prohibited Business, or have questions 
about how these requirements apply to you, please contact us at https://support.coinbase.com. 


By opening a Coinbase Account, you confirm that you will not use Coinbase Services in connection with any of following 
businesses, activities, practices, or items: 


© Investment and Credit Services: Securities brokers; mortgage consulting or debt reduction services; credit counseling or 
repair; real estate opportunities; investment schemes 


© = Restricted Financial Services: Check cashing, bail bonds; collections agencies. 


© Intellectual Property or Proprietary Rights Infringement: Sales, distribution, or access to counterfeit music, movies, 
software, or other licensed materials without the appropriate authorization from the rights holder 


© Counterfeit or Unauthorized Goods: Unauthorized sale or resale of brand name or designer products or services; sale of 
aoods or services that are illeaallv imported or exported or which are stolen 
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@ Regulated Products and Services: Marijuana dispensaries and related businesses; sale of tobacco, e-cigarettes, and e-liquid; 
online prescription or pharmaceutical services; age restricted goods or services; weapons and munitions; gunpowder and other 


explosives; fireworks and related goods; toxic, flammable, and radioactive materials; products and services with varying legal 
status on a state-by-state basis 


®@ Drugs and Drug Paraphernalia: Sale of narcotics, controlled substances, and any equipment designed for making or using 
drugs, such as bongs, vaporizers, and hookahs 


@ =Pseudo-Pharmaceuticals: Pharmaceuticals and other products that make health claims that have not been approved or 
verified by the applicable local and/or national regulatory body 


© Substances designed to mimic illegal drugs: Sale of a legal substance that provides the same effect as an illegal drug (e.g., 
salvia, kratom) 


©@ Adult Content and Services: Pornography and other obscene materials (including literature, imagery and other media); sites 
offering any sexually-related services such as prostitution, escorts, pay-per view, adult live chat features 


@ Multi-level Marketing: Pyramid schemes, network marketing, and referral marketing programs 


@ Unfair, predatory or deceptive practices: Investment opportunities or other services that promise high rewards; Sale or resale 
of a service without added benefit to the buyer; resale of government offerings without authorization or added value; sites that 
we determine in our sole discretion to be unfair, deceptive, or predatory towards consumers 


®@ High risk businesses: any businesses that we believe poses elevated financial risk, legal liability, or violates card network or 
bank policies 


Conditional Use 


Express written consent and approval from Coinbase must be obtained prior to using Coinbase Services for the following categories 
of business and/or use ("Conditional Uses"). Consent may be requested by contacting us at https://support.coinbase.com. Coinbase 
may also require you to agree to additional conditions, make supplemental representations and warranties, complete enhanced on- 
boarding procedures, and operate subject to restrictions if you use Coinbase Services in connection with any of following 
businesses, activities, or practices: 


@ Money Services: Money transmitters, Digital Currency transmitters; currency or Digital Currency exchanges or dealers; gift 
cards; prepaid cards; sale of in-game currency unless the merchant is the operator of the virtual world; act as a payment 
intermediary or aggregator or otherwise resell any of the Coinbase Services 


©@ = Charities: Acceptance of donations for nonprofit enterprise 


©@ Games of Skill: Games which are not defined as gambling under this Agreement or by law, but which require an entry fee and 
award a prize 


© = Religious/Spiritual Organizations: Operation of a for-profit religious or spiritual organization 


APPENDIX 2: Verification Procedures and Limits 


As a regulated financial service company operating in the US we are required to identify users on our platform. This ensures we 
remain in compliance with KYC/AML laws in the jurisdictions in which we operate, something that is necessary for us to be able to 
continue to offer digital currency exchange services to our customers. Coinbase collects and verifies information about you in order 
to: (a) protect Coinbase and the community from fraudulent users, and (b) to keep appropriate records of Coinbase's customers. 
Your daily or weekly Conversion limits, Coinbase Pro deposit, withdrawal and trading limits, Instant Buy limits, USD Wallet transfer 
limits, and limits on transactions from a linked payment method are based on the identifying information and/or proof of identity 
you provide to Coinbase. 


All U.S. customers who wish to use Coinbase Services are required to establish a Coinbase Account by: 
@ Providing your name and valid email address, a password and your state of residence, 
© Certifying that you are 18 years or older, 
©@ Accepting User Agreement and Privacy Policy, and 
© = Verifying your identity by submitting the following information: 

Oo Name 

© DOB 

© Physical address 

© SSN (or ID # from gov't issued ID) 

© Source of funds 

© Income/employment information (US only) 


© Explanation of activity (US only) 


All U.S. customers who wish to send and received Digital Currency on to the blockchain are required to: 
@ Submit a copy of an acceptable form of identification (i.e. passport, state driver's license, or state identification card), and 


© Submit a picture of yourself or a selfie from your webcam or mobile phone. 


Notwithstanding these minimum verification procedures for the referenced Coinbase Services, Coinbase may require you to provide 
or verify additional information, or to wait some amount of time after completion of a transaction, before permitting you to use any 
Cainhase Services and/or before nermittina vou to enaane in transactions hevand certain volume limits You mav determine the 


Page 11 of 34 


EXHIBIT A 
11 /34 


Soiree wernicey her ee yey Fey Sy cage Spe a tog Nivea SCAU Meador aes Guy pee tcl pam 
volume limits asshoat S@h bidet OV LAU BoA Ac BKonbdoébment 1-2 Filed 09/26/23 
You may contact us at https://support.coinbase.com to request larger limits. Coinbase will require you to submit to Enhanced Due 

Diligence. Additional fees and costs may apply, and Coinbase does not guarantee that we will raise your limits. 


APPENDIX 3: E-Sign Disclosure and Consent 


This policy describes how Coinbase delivers communications to you electronically. We may amend this policy at any time by 
providing a revised version on our website. The revised version will be effective at the time we post it. We will provide you with 
prior notice of any material changes via our website. 

Electronic Delivery of Communications 

You agree and consent to receive electronically all communications, agreements, documents, notices and disclosures (collectively, 


“Communications") that we provide in connection with your Coinbase Account(s) and your use of Coinbase Services. 
Communications include: 


®@ Terms of use and policies you agree to (e.g., the Coinbase User Agreement and Privacy Policy), including updates to these 
agreements or policies; 


®@ Account details, history, transaction receipts, confirmations, and any other Account or transaction information; 
@ Legal, regulatory, and tax disclosures or statements we may be required to make available to you; and 


@ Responses to claims or customer support inquiries filed in connection with your Account. 

We will provide these Communications to you by posting them on the Coinbase website, emailing them to you at the primary email 
address listed in your Coinbase profile, communicating to you via instant chat, and/or through other electronic communication 
such as text message or mobile push notification. 


Hardware and Software Requirements 


In order to access and retain electronic Communications, you will need the following computer hardware and software: 
@ A device with an Internet connection; 


© Acurrent web browser that includes 128-bit encryption (e.g. Internet Explorer version 9.0 and above, Firefox version 3.6 and 
above, Chrome version 31.0 and above, or Safari 7.0 and above) with cookies enabled; 


@ A valid email address (your primary email address on file with Coinbase); and 


© Sufficient storage space to save past Communications or an installed printer to print them. 

How to Withdraw Your Consent 

You may withdraw your consent to receive Communications electronically by contacting us at https://support.coinbase.com . If you 
fail to provide or if you withdraw your consent to receive Communications electronically, Coinbase reserves the right to 
immediately close your Account or charge you additional fees for paper copies. 

Updating your Information 

It is your responsibility to provide us with a true, accurate and complete e-mail address and your contact information, and to keep 
such information up to date. You understand and agree that if Coinbase sends you an electronic Communication but you do not 
receive it because your primary email address on file is incorrect, out of date, blocked by your service provider, or you are otherwise 


unable to receive electronic Communications, Coinbase will be deemed to have provided the Communication to you. 


You may update your information by logging into your account and visiting settings or by contacting our support team 
at https://support.coinbase.com. 


APPENDIX 4: State License Disclosures 


Coinbase maintains licenses to engage in money transmission activities in many states, and these licenses may impact our provision 
and your use of certain Coinbase Services depending on where you live. Coinbase's licenses and corresponding required disclosures 
can be found on the Coinbase Licenses page, which is incorporated by reference. 


if you live in the following jurisdictions, we are required to provide you with the following information: 

Alaska Please note that this license does not cover the transmission of virtual currency. 

For Alaska Residents Only: If your issue is unresolved by Coinbase, Inc. & 1-888-908-7930, please submit formal complaints with the 
State of Alaska, Division of Banking & Securities. Formal complaints must be in writing, please download the form 


here: https://www.commerce.alaska.gov/web/portals/3/pub/DBSGeneralComplaintFormupdated.pdf 


Formal complaint forms may be submitted via: 1. Fax: 907-465-1230 2. Email: msb_licensing@alaska.gov 3. Mail: Division of Banking 
& Securities PO Box 110807 Juneau, AK 99811-0807 


if you have questions regarding formal complaints, please call 907-465-2521 
Colorado Colorado State Banking Commissioner 


CUSTOMER NOTICE Entities other than FDIC insured financial institutions that conduct money transmission activities in Colorado, 
including the sale of money orders, transfer of funds, and other instruments for the payment of money or credit, are required to be 
licensed by the Colorado Division of Banking pursuant to the Money Transmitters Act, Title 11, Article 110, Colorado Revised 
Statutes. 


If you have a Question about or Problem with YOUR TRANSACTION - THE MONEY YOU SENT You must contact the Money 
Transmitter who processed your transaction for assistance. The Division of Banking does not have access to this information. 


If you are a Colorado Resident and have a Complaint about THE MONEY TRANSMITTER — THE COMPANY THAT SENT YOUR MONEY 
ALL complaints must be submitted in writing. Please fill out the Complaint Form provided on the Colorado Division of Banking's 
website and return it and any documentation supporting the complaint via mail or email to the Division of Banking at: 


Colorado Division of Banking 1560 Broadway, Suite 975 Denver, CO 80202 email: DORA_BankingWebsite@state.co.us 
website: www.dora.colorado.gov/dob 
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Colorado Customer Notice (MO7) 


Florida If you have a question or complaint, please contact the consumer assistance division of Coinbase 
at https://support.coinbase.com or 1-888-908-7930. 


Florida residents may contact the Florida Office of Financial Regulation with any unresolved questions or complaints about 
Coinbase, Inc. at 200 E. Gaines Street, Tallahassee, FL 32399-0376, telephone number: (850) 487-9687 (toll free). 


Illinois Illinois residents may contact the Illinois Department of Financial Institutions, Consumer Credit Section with any unresolved 
questions or complaints about Coinbase, Inc. at (888) 473-4858 (toll-free). 


Louisiana Please note the license issued to Coinbase by the Louisiana Office of Financial Institutions does not cover the exchange 
or transmission of virtual currency.’ 


Maryland The Commissioner of Financial Regulation for the State of Maryland will accept all questions or complaints from 
Maryland residents regarding Coinbase, Inc. (License No. 12-1163082 and NMLS ID: 1163082) by contacting the Commissioner\'s 
office at: 500 North Calvert Street, Suite 402, Baltimore, Maryland 21202, or (888) 784-0136. 


Nevada Coinbase, Inc. is licensed by the Nevada Department of Business and Industry as a money transmitter. At this time, the 
Nevada Department of Business and Industry does not license or regulate services related to virtual currency, including but not 


limited to virtual currency transmission or exchange which may be conducted by Coinbase. 


New York Please note the following disclosures associated with virtual currency: 


@ Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to 
Federal Deposit Insurance Corporation or Securities Investor Protection Corporation protections. 


@ Legislative and regulatory changes or actions at the state, federal, or international level may adversely affect the use, transfer, 
exchange, and value of virtual currency. 


@ = Transactions in virtual currency may be irreversible, and, accordingly, losses due to fraudulent or accidental transactions may 
not be recoverable. 


@ Some virtual currency transactions shall be deemed to be made when recorded on a public ledger, which is not necessarily the 
date or time that the customer initiates the transaction. 


@ The value of virtual currency may be derived from the continued willingness of market participants to exchange fiat currency for 
virtual currency, which may result in the potential for permanent and total loss of value of a particular virtual currency should 
the market for that virtual currency disappear. 


©@ = There is no assurance that a person who accepts a virtual currency as payment today will continue to do so in the future. 


© The volatility and unpredictability of the price of virtual currency relative to fiat currency may result in significant loss over a 
short period of time. 


@ = The nature of virtual currency may lead to an increased risk of fraud or cyber attack. 


@ = The nature of virtual currency means that any technological difficulties experienced by Coinbase may prevent the access or use 
of a customer's virtual currency. 


@ Any bond or trust account maintained by Coinbase for the benefit of its customers may not be sufficient to cover all losses 
incurred by customers. 


Coinbase, Inc., is regulated and licensed as a money transmitter by the New York State Department of Financial Services. If you have 
a question or complaint, please contact the consumer assistance division of Coinbase at https://support.coinbase.com or 1-888- 
908-7930. 


For unresolved complaints, you may mail a complaint to Coinbase Inc., 82 Nassau St #61234, New York, NY 10038 


Tennessee Please note that this license and the required surety bond do not cover the transmission of virtual currency. Coinbase is 
licensed by the Tennessee Department of Financial Institutions as a money transmitter. The Tennessee Department of Financial 
Institutions does not regulate virtual currency. 


Texas If you have a complaint, first contact the consumer assistance division of Coinbase at https://support.coinbase.com or (888) 
908-7930. If you still have an unresolved complaint regarding the company\'s money transmission or currency exchange activity, 
please direct your complaint to: Texas Department of Banking, 2601 North Lamar Boulevard, Austin, Texas 78705, 1-877-276-5554 
(toll free), www.dob.texas.gov. 


Virginia Coinbase, Inc. is licensed by the Virginia State Corporation Commission as a money transmitter, but such license does not 
cover the transmission of virtual currency (Bitcoin). 


Washington Please note the following disclosures associated with virtual currency: If you have a complaint, first contact the 
consumer assistance division of https://support.coinbase.com or 1-888-908-7930, and if you still have an unresolved complaint 
regarding the company’s money transmission activity, please contact the Washington State Department of Financial Institutions, 
Division of Consumer Services using one of the following methods: File a complaint online, mail or fax: 
https://dfi.wa.gov/consumers/loan-complaints. Call us: 1-877-RING DFI (1-877-746-4334). Email us: 
CSEnforceComplaints@dfi.wa.gov. 


Fraudulent transactions may result in loss of their money with no recourse. A description of the pricing and fees for transactions can 
be found in Section 3.3 above and on our Pricing and Fees page. Information about how your Coinbase Account funds are insured 
can be found on our Insurance Help Page. The nature of virtual currency may lead to an increased risk of fraud or cyber attack and 
virtual currency may be irretrievably stolen. The transfer of Digital Currency is irrevocable with the exception of a Future Transaction. 


If you believe you did not authorize a particular transaction or that a transaction was incorrectly carried out, you must contact us as 
soon as possible either by email free of charge at https://support.coinbase.com or by phone at +1 (888) 908-7930 (international call 
charges may apply). For more information can be found in Section 3.7 above. 


Appendix 5: Using Your Coinbase Card 


1. Coinbase Card. When you hold Fiat Currency denominated in U.S. Dollars (USD) or Digital Currency on Coinbase you may be 
given the option to apply for a Coinbase Visa Card (“Card”) issued by MetaBank National Association ("MetaBank’). To use the 
Card, you must agree to the terms ("Terms") set out below and to the Coinbase Card Cardholder Agreement with MetaBank 
(‘Cardholder Agreement’). 
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Cardholder Agreement and this User Agreement. 


1.2. Role of the Card. The Card can be used to purchase goods and services from merchants at point of sale terminals, over the 
telephone, online, or on payment platforms, or withdraw cash from automated teller machines ("ATMs") that accept Visa cards 
(‘Card Transactions’). The Card account at MetaBank (“Card Account”) will be linked to your USD Wallet and Digital Currency 
Wallet. You will be required to elect USD in your USD Wallet or a Digital Currency in your Digital Currency Wallet as your default 
spending currency ("Preferred Spending Currency") before you can use your Card and you can update your Preferred Spending 
Currency at any time. 


1.2.1 Funding your Card Account with Direct Deposit. If you are eligible and we have verified your required identifying 
information, you may fund your Card Account with Direct Deposit. Please see the Direct Deposit terms in Section 3.1.1 under Part. 
1 General Use of this User Agreement. 


1.3. Card Services. Pursuant to the terms of your Cardholder Agreement, you may use the Card to make various Card Transactions. 


1.4. Digital Currency as Preferred Spending Currency. When you select a Digital Currency as your Preferred Spending Currency 
and use your Card, you authorize Coinbase to facilitate your sale of your Digital Currency, the proceeds of which you authorize 
Coinbase to use to fund Card Transactions in USD. 


1.4.1. Role of Coinbase. Coinbase is responsible for facilitating your sale of your Preferred Digital Currency (“Digital Currency 
Services") when applicable, to other Coinbase Customers and transferring funds to your Card Account to enable payments to 
merchants for the purchase of goods and services, and to you for ATM withdrawals, in USD in the amount authorized by the Card 
Transaction (the “Purchase Price’). 


1.4.2. When you select a Digital Currency as your Preferred Spending Currency and use your Card to make a Card Transaction, you 
authorize the: 


1.4.2.1. Sale of your Preferred Digital Currency in the amount of the Purchase Price plus the accompanying fees and charges 
described in the Cardholder Agreement and Section 1.11 of these Terms and Section 3.3 of this User Agreement (together, the 
“Total Purchase Price”) and converted at the prevailing trading rate on Coinbase’s trading platform ("Exchange Rate”) (the “Total 
Transaction Price”) from your Digital Currency Wallet; and 


1.4.2.2. Transfer of the Total Purchase Price in Fiat Currency from your Coinbase USD Wallet to the Card Account so that MetaBank 
can facilitate the transfer of: (i) the Purchase Price to the merchant (i.e., for the purchase of goods and services) or to you (i.e., for 
ATM withdrawals), and (ii) any fees and charges described in the Cardholder Agreement, except for any fees and charges described 
in this User Agreement via the Visa Card Scheme ("Card Scheme’). 


1.5. Applying for the Card. If you apply for a Card, you will be required to provide certain personal information. You agree that 
we may share personal information you previously provided to us under our Privacy Policy to verify your identity, with MetaBank 
and with service providers acting on our behalf or on MetaBank’'s behalf solely to verify your identity or address, and/or to manage 
risk as required under applicable law. Personal information shared with MetaBank will be treated in accordance with its Privacy 
Policy. If you do not provide this information, or if MetaBank is unable to verify your identity with the information provided by 
Coinbase, your application for a Card will not be considered. We may refuse to facilitate processing of your application through 
MetaBank if we determine in our sole discretion that you are in breach of the terms of the User Agreement. 


1.6. Activating the Card. You must sign a physical Card as soon as you receive it and must activate the Card to be able to use it. 
Activation instructions are set out on the packaging that the Card is attached to and within the Coinbase Site. A virtual Card can be 
used immediately upon receipt and does not need to be activated. 


1.7. Using the Card. 
1.7.1. You agree that you will use the Card in accordance with these Terms, this User Agreement, and the Cardholder Agreement. 


1.7.2. Your consent will be required in order to use the Card to make a Card Transaction. You may give your consent in the 
following ways depending on the type of Card Transaction that you are trying to make and the information required by the 
merchant or ATM: 


1.7.2.1. Purchase of goods and services from a merchant on the merchant's premises from a point of sale terminal or withdrawing 
cash from an ATM: You may be required to enter the personal identification number ("PIN") that we will arrange for you to receive 
from MetaBank (or that you may choose) from time to time unless the Card Transaction is being made via a contactless card reader 
in which case the presentation of the Card will be sufficient to demonstrate consent. 


1.7.2.2. Purchase of goods and services from a merchant by telephone, online, or on a payments platform: You may be required to 
provide Card details such as the Card number, expiration date, and three digit security code from the reverse side of the Card. 


1.8. Errors or Unauthorized Transactions. If you believe your Card has been lost or stolen, or that an error or unauthorized 
transaction has occurred, you should contact Coinbase Customer Service immediately by phone at 1-888-908-7930 or email at 
card@coinbase.com. Coinbase will not be liable for unauthorized transactions. See Section 3 of the Cardholder Agreement for more 
information regarding your liability for unauthorized transactions. See Section 8 of the Cardholder Agreement for information 
regarding Error Resolution. 


1.9. Maximum Execution Time. The maximum execution time of the Card Transaction itself is dependent on actions being taken 
by the merchant, ATM owner, Card Scheme and/or other service providers. Coinbase will use commercially reasonable endeavors 
to comply with and adhere to the Card Scheme'’s settlement timing requirements. 


1.10. Usage Limits. The usage limits for the Card are set out in Section 4 of your Cardholder Agreement. 


1.11. Fees and Charges. When we perform the Digital Currency Services, Coinbase will charge fees and other charges, including 
spread, in accordance with this User Agreement. You can find a list of our fees and charges on our Pricing and Fees Disclosures 
page. These fees and charges apply in addition to any fees and charges included in your Cardholder Agreement. You are at all 
times responsible for the Total Purchase Price in Fiat Currency and the Total Transaction Price in Digital Currency when you make a 
Card Transaction. 


1.12. Refunds. If you are entitled to a refund for any reason for goods or services obtained with your Card, the refund shall be 
processed in accordance with the terms set out in Section 9(b) of your Cardholder Agreement. Once a refund has been posted by 
the merchant, we will arrange for it to be refunded to your USD Wallet in Fiat Currency. 


1.13. Right to Charge Exchange Rates for Hold Returns. |f your Card Transaction is subject to a preauthorization hold as 
described in Section 7(f) of your Cardholder Agreement, once the amount of the Total Purchase Price is received, we will arrange 
for any remaining amount to be refunded to your USD Wallet or Digital Currency Wallet (as applicable) in your Preferred Spending 
Currency, which shall be calculated using the Exchange Rate applicable at the time of refund. 


1.14. Information Regarding Card Transactions. You may find details regarding Card Transactions that you have executed in the 
Coinbase Card portal of the Coinbase Site ("Coinbase Card Portal"). 


1.15. Rewards Program. Your Card will be automatically enrolled in our digital assets rewards program (Rewards Program’) 
upon activation. You will then be able to opt-in to the Rewards Program by electing a digital asset from a range of digital assets 
that we may offer from time to time (Preferred Digital Asset"). You will then be eligible to earn that Preferred Digital Asset in 


return for Card Transactions ("Reward") except for cash withdrawals. The amount of the Reward for a Card Transaction is calculated 
by multiplying the Purchase Price by the applicable Rewards Percentage which will be published within the Coinbase Card Portal 
from time to time. This amount will be deposited into your Digital Currency Wallet in your Preferred Digital Asset. Earned and 
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forms for the year in which you participate and are awarded the benefits of the Rewards Program. You are responsible for learning 


about and paying any federal, state or local taxes that may apply to earning rewards. Please consult your tax advisor if you have 
any questions about your personal tax situation. 


1.16. Exceptions to Rewards Program. We accept no responsibility for the goods or services purchased by you with your Card. 
All such disputes must be addressed directly with the merchant providing the relevant goods or services. If you receive a return, 
credit, or chargeback related to a Card Transaction from a merchant for any good or service and we have provided you with a 
Reward for that Card Transaction, we will be entitled to debit your Digital Currency Wallet the amount of the original Reward using 
the Exchange Rate applicable at the time of the Card Transaction. Upon the commencement of any proceedings by or against you 
under any bankruptcy or insolvency law, Rewards cannot be redeemed. We reserve the right to alter, change and/or terminate the 
Rewards Program, at any time and for any reason, which may result in the cancellation of unredeemed Rewards, upon written 
(including electronic) notice to you. In addition, we reserve the right to immediately disqualify you from the Rewards Program if 
you have violated these Terms or if you have, in our determination, misused the Rewards Program. 


1.17. Right to Debit, Access, or Offset Other Coinbase Services. If for any reason you have insufficient Fiat Currency in your 
USD Wallet or insufficient Digital Currency in the relevant Digital Currency Wallet selected to fund a Card Transaction, we reserve 
the right to debit, access, or offset the amount of all or part of the Card Transaction from any other Coinbase Service that you 
obtain from us, including but not limited to any USD or Digital Currency you hold today, or in the future, in any USD Wallet, Digital 
Currency Wallet, or in connection with any other Coinbase Services. This includes situations where Coinbase has granted you 
provisional credit in USD or Digital Currency in connection with a disputed Card Transaction that is later resolved in favor of the 


opposing party. 


1.18. Restriction, Suspension, and Termination. Card Transactions or your Card use may be restricted, suspended or terminated 
with immediate effect in situations where: 


1.18.1. We are, in our reasonable opinion, required to do so by contract or by applicable law or any court or other authority to 
which we are subject in any jurisdiction; 


1.18.2. We reasonably suspect you of acting in breach of these Terms (including any provision of this User Agreement), or the 
Cardholder Agreement; 


1.18.3. We have concerns that a Card Transaction is erroneous or about the security of your Card or your Coinbase Account or we 
suspect the Coinbase Services are being used in a fraudulent or unauthorized manner; 


1.18.4. We suspect money laundering, terrorist financing, fraud, or any other financial crime; 


1.18.5. If your credit or debit card or any other valid payment method linked to your USD Wallet or Digital Currency Wallet is 
declined; 


1.18.6. Use of your Coinbase Account is subject to any pending litigation, investigation, or government proceeding and/or we 
perceive a heightened risk of legal or regulatory non-compliance associated with your Coinbase Account activity; or 


1.18.7. You have insufficient USD in your USD Wallet or insufficient Digital Currency in your Digital Currency Wallet to cover the 
Total Transaction Price of a relevant Card Transaction. 


lf Card Transactions, your Card use and/or any or all Coinbase Services are restricted, suspended or terminated in this way, we will 
(unless it would be unlawful for us to do so), provide you with notice of our actions and the reasons for refusal, restriction, 
suspension, or termination where appropriate, with the procedure for correcting any factual errors that led to the refusal, 
suspension or termination. In the event that we decline a card transaction and/or restrict, suspend, or terminate your use of the 
Card and any/or any or all Coinbase Services, we will reinstate the Card Transaction and/or lift the restriction, suspension, or 
termination as soon as reasonably practicable once the reasons for decline and/or restriction, suspension, or termination cease to 
exist. 


1.19. These Terms and the Cardholder Agreement. In the event of a conflict between this User Agreement, including these 
Terms and the Cardholder Agreement, the provisions of the Cardholder Agreement shall prevail. 


1.20. Coinbase Liability. This section operates in addition to any limitation of liability expressed elsewhere in this User Agreement. 
1.20.1. Coinbase will not be liable to you for any loss arising from: 
1.20.1.1. A merchant refusing to accept a Card; 


1.20.1.2. Any breach by Coinbase of the User Agreement due to abnormal or unforeseen circumstances beyond Coinbase’s 
reasonable control, which would have been unavoidable despite all Coinbase’s efforts to stop it; 


1.20.1.3. MetaBank restricting, suspending, or terminating a Card or refusing to issue or replace a Card in accordance with these 
Terms; 


1.20.1.4. MetaBank declining a Card Transaction that you make or attempt to make using a Card; 


1.20.1.5. Coinbase restricting, suspending, or terminating your USD Wallet, Digital Currency Wallet, or any related Coinbase 
Services; or 


1.20.1.6. Coinbase’s compliance with any applicable laws and regulations. 
1.20.2. Coinbase will not be liable for the goods or services that you purchase from a merchant using a Card. 


1.20.3. Where a Card is faulty, Coinbase’s liability shall be limited to assisting with the replacement of the Card. 


Appendix 6: Coinbase One Subscription 


The following Coinbase One Subscription Terms and Conditions are to be read in conjunction with the Coinbase User 
Agreement. 


1. Coinbase One Subscription. Eligible Users may sign up for Coinbase One which is an automatically renewing subscription 
requiring recurring payments. A Coinbase One subscription grants you the benefits of a) a waiver of Coinbase fees for buying, 
selling, and converting digital currencies on the Coinbase platform (which does not include Coinbase Pro's order matching 
platform), provided that a spread in the price is still included in all buys, sells, and conversion of digital currencies on the Coinbase 
trading platform (learn more about fees here), b) a dedicated customer support line available 24 hours a day, 7 days a week, 365 
days a year; and c) Coinbase Account Protection as detailed in paragraph 3 below. Coinbase may modify or suspend this program 
at any time upon notice. 


2. Subscription Fees and Billing. We will bill you in advance for your subscription. We will deduct the subscription fee at the start 
of your subscription and on an on-going basis the day immediately following the end of your prior subscription billing period 
unless and until you cancel your subscription, your account is otherwise suspended or terminated pursuant to the Agreement, or 
Coinbase One is suspended or terminated. The monthly subscription billing period is thirty (30) days from the date the subscription 
fee is paid. 


2.1 By choosina vour bank account as vour pavment method, vou authorize us to deduct the subscription fee from vour desianated 


Page 15 of 34 


EXHIBIT A 
15 /34 


bank account, inGASO'dA3-CV04-408 AN Act4B Kyou DOCU MENE: dosdoree red 09/26/23 


terms in this Agreement, and that this Agreement constitutes a "writing signed by you" under any applicable law or regulation, (b 

you consent to the electronic delivery of the disclosures contained in this Agreement, (c) you authorize us to make any inquiries we 
consider necessary to validate any dispute involving your payment, and (d) you authorize us to initiate one or more ACH debit 
entries (withdrawals), and you authorize the financial institution that holds your bank account to deduct such payments, in the 
amounts and frequency designated in your then-current subscription payment plan. 


2.2 By choosing your USD wallet in your Coinbase Account as your payment method, you authorize us to deduct the subscription 
fee from your USD wallet, including applicable taxes in U.S. dollars. 


If your bank account or Coinbase USD wallet does not have sufficient funds to cover your subscription payment, we will provide you 
with a 3-day grace period to add sufficient funds and make payment before we terminate your subscription. 


If you sign up for an annual plan, we will notify you of the renewal date via e-mail 30 days prior to the date of renewal. 


We reserve the right to change the terms of your subscription, including the fees, from time to time, effective as of the beginning of 
your next billing period following the date of the change. We will give you advance notice of any increased fees, increased liability, 
fewer types of available transfers, or stricter limitations on the frequency or dollar amount of transfers regarding your Coinbase One 
subscription at least 21 days before the effective date of such change. We will give you advance notice of any change in the 
payment amount from the previous payment, and the date of the next payment, at least 10 calendar days in advance of the next 
payment by e-mail to your primary e-mail address saved in your Coinbase Account. If you do not wish to accept a change to the 
price of your subscription, you may cancel your subscription as described in paragraph 4 below. 


3. Coinbase Account Protection. With an active Coinbase One subscription, you may be eligible to receive a one-time 
reimbursement for up to $1,000,000 (U.S. Dollars) of actual losses (or the U.S. Dollar equivalent thereof, in the case such losses were 
in the form of Digital Currency) that you sustain due to a compromise of your Coinbase Account login credentials resulting from a 
vulnerability or other deficiency in Coinbase’s systems and/or security protocols (the "Coinbase Account Protection’). The 
Coinbase Account Protection is subject to the terms and conditions set forth in this [Paragraph 3] (the “Coinbase Account 
Protection Warranty Terms”), which apply in addition to the terms of the Agreement and any other terms and policies set forth on 
the Coinbase Site. 


3.1 Eligibility. In order to be eligible to receive reimbursement under the Coinbase Account Protection, you must satisfy the 
following conditions: 


3.1.1 You must have an active Coinbase One subscription at the time the losses for which you are submitting a request for 
reimbursement under the Coinbase Account Protection (the “Reimbursable Losses”) were sustained; 


3.1.2 Your Coinbase Account must have been open for at least thirty (30) calendar days prior to the date on which you sustained 
the Reimbursable Losses; 


3.1.3 You must have successfully completed all steps in the photo identity verification process prior to the date on which you 
sustained the Reimbursable Losses; 


3.1.4 2-factor authentication with either an authenticator application (e.g., Duo or Google Authenticator), security key (e.g., 
Yubikey) or push notification through the Coinbase mobile application must have been enabled on your Coinbase Account at the 
time you sustained the Reimbursable Losses. 2-factor authentication via SMS is not sufficient to be eligible for coverage 
under the Coinbase Account Protection; 


3.1.5 You must file your request for reimbursement of Reimbursable Losses with Coinbase within ninety (90) days of the date on 
which you sustained the Reimbursable Losses; 


3.1.6 You must promptly file a police report with your local police department in connection with the Reimbursable Losses, and 
provide a copy of such report to Coinbase; 


3.1.7 You must not have previously received a reimbursement for losses under the Coinbase Account Protection; 
3.1.8 Your Coinbase Account must be in good standing; 


3.1.9 You will not be eligible for reimbursement under the Coinbase Account Protection if you previously falsely reported to 
Coinbase that your Coinbase Account had been compromised; and 


3.1.10 You will not be eligible for reimbursement under the Coinbase Account Protection if you engage in unreasonable, offensive 
or dishonest behavior in communicating with Coinbase about a request you've made for reimbursement under the Coinbase 
Account Protection (e.g., contacting Coinbase employees outside of official customer support channels, or using abusive language 
when communicating with Coinbase employees). 


3.2 What is not covered. 


3.2.1 The Coinbase Account Protection does not cover reimbursement for any loss of funds held outside of your Coinbase Account, 
including without limitation in Coinbase Custody, Coinbase Wallet, or non-custodial wallets connected to Coinbase Commerce. 


3.2.2 The Coinbase Account Protection does not cover reimbursement of funds that you voluntarily sent to a third party in 
connection with an investment scam or otherwise, or if you mistakenly bought Digital Currency or sent Digital Currency to the 
wrong addressee. 


3.2.3 The Coinbase Account Protection does not cover reimbursement for any losses that you sustain as the result of your 
knowingly and voluntarily participating in fraudulent activity. 


3.2.4 The Coinbase Account Protection does not cover reimbursement for any losses that were the result of a security vulnerability 
or other technical deficiency in your computer, mobile device or security key. 


3.2.5 The Coinbase Account Protection does not cover reimbursement for any losses that were the result of an event or action that 
you were aware could result in compromise of your account security, if you failed to promptly notify Coinbase of such occurrence in 
accordance with Section 6.2 (Security Breach) of the Agreement. Examples of such occurrences include, without limitation, if you 
lose your security key or API key, if you grant a third party remote access to your account, or if you provide your Coinbase Account 
login credentials and/or 2-factor authentication codes to a third party. 


3.2.6 You agree that any amounts payable to you under the Coinbase Account Protection will be reduced by any amounts you are 
able to recover or have already recovered for the applicable Reimbursable Losses from a source other than the Coinbase Account 
Protection, including without limitation, any amounts received under an insurance policy, warranty, guarantee or indemnity. 


3.3 Process for requesting reimbursement. In order to request reimbursement under the Coinbase Account Protection, please 
contact us via the Coinbase Help Center to lock your Coinbase Account and report that someone gained unauthorized access to 
your Coinbase account and withdrew your funds without your permission. After you've provided sufficient details about the 
incident (including the police report referenced in Section 3.1.6 above, along with your name, a reasonably detailed description 
about what happened, and your customer support ticket), Coinbase will investigate your case and determine whether you are 
eligible to receive reimbursement of up to $1,000,000 (U.S. Dollars) (or the U.S. Dollar equivalent of Digital Currency, as the case 
may be) in Reimbursable Losses under the Coinbase Account Protection. If Coinbase determines that you are eligible for 
reimbursement under the Coinbase Account Protection, Coinbase will provide you with a one-time payment equal to the lesser of 


(i) the actual amount of funds or Digital Currency, as the case may be, that were improperly removed from your Coinbase Account 
as a result of the compromise of your Coinbase Account login credentials as a result of a vulnerability or other deficiency in 
Coinbase’s systems and/or security protocols and (ii) $1,000,000 (U.S. Dollars) (or the U.S. Dollar equivalent of Digital Currency, as 
the case may be). If your Reimbursable Losses are in the form of Digital Currency, the foreaoing limit will be calculated based on 
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request under the Coinbase Account Protection. You will be required to provide reasonable cooperation to Coinbase in connection 

with our investigation of your case, and you must not take any actions that interfere with or otherwise impede our investigation. 

Eligibility, determination of the amount of any Reimbursable Losses, and any interpretation of these Coinbase Account Protection 

Warranty Terms will be determined by Coinbase in its sole discretion. Coinbase may condition reimbursement under the Coinbase 

Account Protection on execution of a definitive settlement agreement, including a release of claims against Coinbase, its officers, 

directors, employees, contractors, agents, and affiliates and any other applicable parties and an obligation to keep confidential the 

reimbursement amount and circumstances. Coinbase reserves the right to subrogate against any person or entity with respect to 

your claim for Reimbursable Losses. You hereby agree that in connection with any reimbursement made under the Coinbase 

Account Protection, you will cooperate fully with Coinbase in its efforts at subrogation. 


3.4 Other terms. In the event of a conflict between these Coinbase Account Protection Warranty Terms and anything else in the 
Agreement, these Coinbase Account Protection Warranty Terms will govern. Notwithstanding the foregoing, you are still primarily 
responsible for ensuring the security of your Coinbase Account, and if you suspect that you have been the victim of a Security 
Breach, you must notify Coinbase Support as soon as possible in accordance with Section 6.2 of the Agreement. The Coinbase 
Account Protection is not an insurance policy. To the extent you require protection beyond the Coinbase Account 
Protection, we strongly encourage you to purchase an insurance policy or other protection that provides coverage for 
unforeseen events that may result in the loss of funds held in your Coinbase Account. 


3.5 Amendment; Termination. Except as prohibited by law, Coinbase may terminate the Coinbase Account Protection at any time, 
and such termination will apply to incidents occurring after the effective date of the termination. In addition, except in the case of a 
suit filed to enforce these Coinbase Account Protection Warranty Terms, you acknowledge and agree that no benefits will be made 
available to you under the Coinbase Account Protection in the event you initiate any action, suit or claim against Coinbase, or its 
officers, directors, employees, contractors, agents, or affiliates, concerning a claim otherwise subject to reimbursement under these 
Coinbase Account Protection Warranty Terms. 


3.6 No Waiver. Coinbase’s failure to enforce any right or provision of these Coinbase Account Protection Warranty Terms will not 
constitute a waiver of future enforcement of that right or provision. The waiver of any such right or provision will be effective only if 
in writing and signed by a duly authorized representative of Coinbase. 


3.7 Disclaimers, Limitation of Liability, Arbitration. You acknowledge and agree that any claims arising from or in relation to the 
Coinbase Account Protection or these Coinbase Account Protection Warranty Terms are subject to the Agreement, including the No 
Warranty disclaimer and (except for Coinbase’s obligation to pay amounts pursuant to an approved reimbursement request made 
under the Coinbase Account Protection) the Limitations of Liability set forth in Section 9.3 of the Agreement. You further 
acknowledge and agree that any dispute or claim relating in any way to the Coinbase Account Protection will be adjudicated in 
accordance with Section 8 of the Agreement. 


4. Cancellation. You can cancel your subscription at any time through your account settings and clicking “subscription 
management” using a web browser or in the app. If you cancel your subscription, the cancellation will go into effect at the end of 
your current subscription period. You will have continued access to your subscription for the remainder of your paid subscription 
period. You must cancel your subscription [at least one (1) day] before it renews to avoid paying the subscription fees for the next 
subscription period. If you cancel, modify your subscription, or if your account is otherwise terminated under this Agreement, you 
will not receive a credit, including for partially used periods of the subscription service. 


5. No Transfer or Assignments & Cancellations by Coinbase. Your Coinbase One subscription cannot be transferred or assigned. 
Coinbase reserves the right to accept, refuse, suspend, or cancel your subscription at any time in its sole discretion. If Coinbase 
cancels your subscription, you will receive a refund of your subscription fee on a pro rata basis calculated from the end of the 
month during which your subscription was cancelled, unless Coinbase terminates your account or your subscription because it 
determines, in its sole discretion, that your actions or your use of the Services violates the Agreement or has harmed another User. 
6. Acknowledgement of Risk. By signing up for Coinbase One, you understand that Coinbase is not making a recommendation to 


make a specific investment, trade, or to use any specific investment strategy. Coinbase does not provide any investment, legal, or 
tax advice. 


Part 2. COINBASE PRO 


1. Coinbase Pro Accounts 


1.1 Access to Coinbase Pro. Eligible users may establish an account at Coinbase Pro (at pro.coinbase.com), an order book 
exchange platform for Digital Currencies. Coinbase does not offer Coinbase Pro to customers in all jurisdictions. This Part 2 of the 
User Agreement applies to you if you access Coinbase Pro. 


1.2 Order Books. Coinbase Pro offers an order book for various Digital Currency and Fiat Currency trading pairs (each an ‘Order 
Book’). Refer to your Coinbase Pro account to determine which Order Books are available to you. 


1.3 Your Coinbase Pro Account. Your Coinbase Pro Account consists of the following. 
®@ A dedicated Hosted Digital Currency Wallet for each Digital Currency offered on Coinbase Pro. 
©@ A dedicated Fiat Currency Wallet. 


© Associated user tools, accessible at pro.coinbase.com and through Coinbase Pro API. 


1.4 Deposits. You may fund your Coinbase Pro Account by depositing Digital Currency and/or Fiat Currency from your basic 
Coinbase Account, Bank Account or an external Digital Currency address into your Coinbase Pro Account. Funds in your Coinbase 
Pro Account can be used only to trade on Coinbase Pro. 


1.5 Withdrawals. You may withdraw Digital Currency from your Coinbase Pro Account by transfer to your basic Coinbase Account 
or to an external Digital Currency address. You may withdraw Fiat Currency from your Coinbase Pro Account to your basic Coinbase 


Account or directly to your Bank Account. 


ALL DEPOSITS AND WITHDRAWALS MAY BE SUBJECT TO LIMITS. ALL LIMITS WILL BE DISPLAYED IN YOUR Coinbase Pro 
ACCOUNT. 


1.6 Withdrawal Fees. Coinbase may also charge a fee on certain Fiat Currency deposit or withdrawal methods (e.g. bank wire). All 
such fees will be clearly displayed in your Coinbase Pro Account. 


2. Trading Rules and Trading Fees 


2.1 Trading Rules. By accessing Coinbase Pro through pro.coinbase.com or Coinbase Pro API, you accept and agree to be bound 
by the Trading Rules 


2.2. Trading Fees. By placing an order on Coinbase Pro, you agree to pay all applicable fees and you authorize Coinbase to 
automatically deduct fees directlv from vour Coinbase Pro Account. Tradina Fees are set forth in the Tradina Rules and 
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3. General Use, Restrictions, and Cancellation 


3.1. Trading Account Use. By using a Coinbase Pro Account you agree and represent that you will use Coinbase Pro only for 
yourself as Account owner, and not on behalf of any third party, unless you have obtained prior approval from Coinbase. You may 
not sell, lease, furnish or otherwise permit or provide access to your Trading Account to any other entity or to any individual that is 
not your employee or agent. You accept full responsibility for your employees’ or agents’ use of Coinbase Pro, whether such use is 
directly through Coinbase Pro website or by other means, such as those facilitated through API keys, and/or applications which you 
may authorize. You understand and agree that you are responsible for any and all orders, trades, and other instructions entered into 
Coinbase Pro including identifiers, permissions, passwords, and security codes associated with your Coinbase Pro Account. 


3.2. Suspension and Cancellation. We may suspend your Coinbase Pro Account or your access to any one for more Order Books 
in accordance with the User Agreement Account suspension and termination provisions. Suspension or termination of your 
Coinbase Pro Account shall not affect the payment of fees or other amounts you owe to Coinbase. In the event that your Basic 
Coinbase Account is suspended or terminated, we will immediately cancel all open orders associated with your Coinbase Pro 
Account, block all withdrawals and bar the placing of further orders until resolution or Account cancellation. 


3.3. No Warranty. We do not represent that Coinbase Pro and/or its constituent Coinbase Pro Accounts, APIs, and related services, 
will be available without interruption. Although we will strive to provide you with continuous operations, we do not guarantee 
continuous access or that there will be no delays, failures, errors, omissions or loss of transmitted information, nor do we guarantee 
that any order will be executed, accepted, recorded, or remain open. Coinbase reserves the right to cancel any open trades and/or 
suspend Coinbase Pro activity in accordance with the Trading Rules. 


3.4. No Investment Advice or Brokerage. For the avoidance of doubt, Coinbase does not provide investment, tax, or legal advice, 
nor does Coinbase broker trades on your behalf. All Coinbase Pro trades are executed automatically, based on the parameters of 
your order instructions and in accordance with posted Trade execution procedures, and you are solely responsible for determining 
whether any investment, investment strategy or related transaction is appropriate for you based on your personal investment 
objectives, financial circumstances and risk tolerance. You should consult your legal or tax professional regarding your specific 
situation. 


3.5. Debts. In the event that there are outstanding amounts owed to us hereunder, including in your Coinbase Account, Coinbase 
reserves the right to debit your Coinbase Pro Account accordingly and/or to withhold amounts from funds you may transfer from 
your Coinbase Pro Account to your Coinbase Account. 
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Legal 


Coinbase Global Privacy Policy 


Last updated: October 8, 2021 


We at Coinbase (defined below) respect and protect the privacy of visitors to our websites and our customers. This Privacy 
Policy describes our information handling practices when you access our services, which include our content on the 
websites located at coinbase.com, coinbase.com/exchange, coinbase.com/prime, custody.coinbase.com, or any other 
websites, pages, features, or content we own or operate (collectively, the "Site(s)") or when you use the Coinbase mobile 
app, the Coinbase Card App (as defined below), any Coinbase, Coinbase Exchange, Coinbase Prime, or Coinbase Custody 
API or third party applications relying on such an API, and related services (referred to collectively hereinafter as 
"Services"). 


Please take a moment to read this Privacy Policy carefully. If you have any questions about this Policy, please submit your 
request via our Support Portal at https://support.coinbase.com/customer/portal/emails/new. 


We may modify this Privacy Policy from time to time which will be indicated by changing the date at the top of this page. If 
we make any material changes, we will notify you by email (sent to the email address specified in your account), by means 
of a notice on our Services prior to the change becoming effective, or as otherwise required by law. 


1. ACCEPTANCE OF THIS PRIVACY POLICY 


By accessing and using our Services, you signify acceptance to the terms of this Privacy Policy. Where we require your 
consent to process your personal information, we will ask for your consent to the collection, use, and disclosure of your 
personal information as described further below. We may provide additional "just-in-time" disclosures or information 
about the data processing practices of specific Services. These notices may supplement or clarify our privacy practices or 
may provide you with additional choices about how we process your data. 


If you do not agree with or you are not comfortable with any aspect of this Privacy Policy, you should immediately 
discontinue access or use of our Services. 


2. OUR RELATIONSHIP TO YOU 


Where You Reside Services Provided Your Operating Entity Contact Address 


Coinbase Custody 
International Limited 
(unless otherwise 70 Sir John Rogerson's 
indicated in your service Quay Dublin 2, Ireland 
contract) Company No: 
657718 


Anywhere but the United 


States and Japan Custodial services 


Coinbase Europe, 


ee one ice Digital Currency services | Limited. Company No: 


70 Sir John Rogerson's 


Kingdom 675475 Quay Dublin 2, Ireland 
Coinbase Germany 
Germany Digital Currency services GmbH. Company No: HRB | Kurfurstendamm 22, 


213709 B. BaFin-ID 
10158674 


10719 Berlin, Germany 


Coinbase Ireland, 
Limited. Company No: 70 Sir John Rogerson's 
630350 CBI Register No: Quay Dublin 2, Ireland 

C188493 


European Economic Area _ | Fiat Wallet services 


oer ‘ Coinbase Singapore Pte. One Marina Boulevard, 
Digital Currency services, 


Singapore : j Ltd. Unique Entity No.: #28-00, Singapore 
Fiat Wallet services 201935002N 018989 
Coinbase KK. Company 
Digital Currency services, ate eerie roe Otemachi Building 4F 
Japan Fiat Wallet services, g : FINOLAB, 1-6-1 Otemachi, 


Finance Bureau 
Directory-General No. 


Custodial services Chiyoda-ku, Tokyo 


Market Data Trading Rules FAQ 


Acceptance of This Privacy Policy 

Our Relationship To You 

The Personal Information We Collect 
Anonymized and Aggregated Data 
How Your Personal Information Is Used 


Legal Bases For Processing Your 
Information 


Why We Share Personal Information With 
Other Parties 


Special Provisions Relating to Coinbase 
Card Users 


How We Protect and Store Personal 
Information 


Retention of Information 
Third-Party Sites and Services 
Children's Personal Information 
International Transfers 

Your Privacy Rights and Choices 
California Privacy Rights 


How To Contact Us 
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We use our own and third-party cookies on our websites to enhance your experience, analyze traffic, and 


for security and marketing. For more info or to modify cookies, see our Cookie Policy or go to 


Manage Settings. 


in Europe) 


FCA Register No: 900635 


Kingdom 


United States 


Digital Currency services, 
Fiat Wallet services 


Coinbase, Inc. CA Entity 
No.: C3548456 


Coinbase, Inc. c/o C T 
Corporation System 818 
West Seventh St., Ste. 
930 Los Angeles, 


California 90017 
Coinbase Custody Trust Coinbase Custody Trust 
Company, LLC (unless Company, LLC c/o CT 
United States Custodial services otherwise indicated in Corporation System 28 
your service contract) Liberty Street New York, 
NYS License # 122506 New York 10005 


United States 


Credit and Lending 
services, Margin Trading 
services 


Coinbase Credit, Inc. CA 
Entity No.: C4315976 


Coinbase Credit, Inc. c/o 
CT Corporation System 
818 West Seventh St., Ste. 
930 Los Angeles, 


Manage settings 


iss 


California 90017 


The CB operating entity you contract with determines the means and purposes of processing your personal information in 
relation to the Services provided to you (typically referred to as a “data controller”). 


You may be asked to provide personal information anytime you are in contact with any CB companies. The CB companies 
may share your personal information with each other and use it consistent with this Privacy Policy. They may also combine 
jt with other information to provide and improve our products, services, and content (additional details below). For 
example, even if you do not reside in the United States (the “US"), your information may be shared with Coinbase, Inc. 
which provides global support for all Services including technical infrastructure, product development, security, 
compliance, fraud prevention, and customer support. 


If you have any questions about your CB Account, your personal information, or this Privacy Policy, please submit your 
request via our Support Portal. 


3. THE PERSONAL INFORMATION WE COLLECT 


Personal information is typically data that identifies an individual or relates to an identifiable individual. This includes 
information you provide to us, information which is collected about you automatically, and information we obtain from 
third parties. The definition of personal information depends on the applicable law based on your physical Location. Only 
the definition that applies to your physical location will apply to you under this Privacy Policy. 


Information you provide to us. To establish an account and access our Services, we'll ask you to provide us with some 
important information about yourself. This information is either required by law (e.g. to verify your identity), necessary to 
provide the requested services (e.g. you will need to provide your bank account number if you'd like to link that account to 
CB), or is relevant for certain specified purposes, described in greater detail below. As we add new features and Services, 
you may be asked to provide additional information. 


If you choose not to share certain information with us, we may not be able to serve you as effectively or offer you our 
Services. Any information you provide to us that is not required is voluntary. 


We may collect the following types of information from you: 


@ Personal Identification Information: Full name, date of birth, nationality, gender, signature, utility bills, photographs, 
phone number, home address, and/or email. 


@ Formal Identification Information: Government issued identity document such as Passport, Driver's License, National 
Identity Card, State ID Card, Tax ID number, passport number, driver's license details, national identity card details, 
visa information, and/or any other information deemed necessary to comply with our Legal obligations under financial 
or anti-money laundering laws. 


@ Institutional Information: Employer Identification number (or comparable number issued by a government), proof of 
legal formation (e.g. Articles of Incorporation), personal identification information for all material beneficial owners. 


@ Financial Information: Bank account information, payment card primary account number (PAN), transaction history, 
trading data, and/or tax identification. 


@ Transaction Information: Information about the transactions you make on our Services, such as the name of the 
recipient, your name, the amount, and/or timestamp. 


@ Employment Information: Office location, job title, and/or description of role. 
®@ Correspondence: Survey responses, information provided to our support team or user research team. 


®@ Audio, electronic, visual and similar information, such as call and video recordings. 


Information we collect from you automatically. To the extent permitted under the applicable law, we may collect certain 
types of information automatically, such as whenever you interact with the Sites or use the Services. This information 
helps us address customer support issues, improve the performance of our Sites and Services, provide you witha 
streamlined and personalized experience, and protect your account from fraud by detecting unauthorized access. 
Information collected automatically includes: 
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@ How you came to and use the Services; 
®@ Device type and unique device identification numbers; 


® Device event information (such as crashes, system activity and hardware settings, browser type, browser language, 
the date and time of your request and referral URL); 


@ How your device interacts with our Sites and Services, including pages accessed and Links clicked; 
@ Broad geographic Location (e.g. country or city-Level Location); and 


@ Other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your 
browser. 


We may also use identifiers to recognize you when you access our Sites via an external link, such as a link appearing ona 
third party site. 


Information we collect from our affiliates and third parties. From time to time, we may obtain information about you 
from our affiliates or third party sources as required or permitted by applicable law. These sources may include: 


® Our Coinbase Family of Companies: Our “family of companies” is the group of companies related to us by common 
control or ownership (“Affiliates”). In accordance with applicable Law, we may obtain information about you from our 
Affiliates as a normal part of conducting business, if you link your various Coinbase accounts (e.g., Coinbase Wallet 
account or Coinbase Commerce account in order to convert cryptocurrency into fiat and make withdrawals into your 
bank account), so that we may offer our Affiliates’ Services to you. 


@ Public Databases, Credit Bureaus & ID Verification Partners: We obtain information about you from public databases 
and ID verification partners for purposes of verifying your identity in accordance with applicable law. ID verification 
partners like World-Check use a combination of government records and publicly available information about you to 
verify your identity. Such information may include your name, address, job role, public employment profile, credit 
history, status on any sanctions lists maintained by public authorities, and other relevant data. We obtain such 
information to comply with our Legal obligations, such as anti-money laundering laws. In some cases, we may process 
additional data about you to assess risk and ensure our Services are not used fraudulently or for other illicit activities. 
In such instances, processing is necessary for us to continue to perform our contractual obligations with you and 
others. World-Check's Privacy Policy, available at https://www.refinitiv.com/en/products/world-check-kyc- 
screening/privacy-statement/, describes its collection and use of personal data. 


@ Blockchain Data: We may analyze public blockchain data to ensure parties utilizing our Services are not engaged in 
illegal or prohibited activity under our Terms, and to analyze transaction trends for research and development 
purposes. 


@ Joint Marketing Partners & Resellers: For example, unless prohibited by applicable Law, joint marketing partners or 
resellers may share information about you with us so that we can better understand which of our Services may be of 
interest to you. 


@ Advertising Networks & Analytics Providers: We work with these providers to provide us with de-identified 
information about how you found our Sites and how you interact with the Sites and Services. This information may be 
collected prior to account creation. For more information on how you can manage collection of this data, please see 
our Cookie Policy. 


4. ANONYMIZED AND AGGREGATED DATA 


Anonymization is a data processing technique that modifies personal information so that it cannot be associated with a 
specific individual. Except for this section, none of the other provisions of this Privacy Policy applies to anonymized or 
aggregated customer data (i.e. information about our customers that we combine together so that it no Longer identifies 
or references an individual customer). 


Coinbase may use anonymized or aggregate customer data for any business purpose, including to better understand 
customer needs and behaviors, improve our Services, conduct business intelligence and marketing, and detect security 
threats. We may perform our own analytics on anonymized data or enable analytics provided by third parties. 


Types of data we may anonymize include, transaction data, click-stream data, performance metrics, and fraud indicators. 


5. HOW YOUR PERSONAL INFORMATION IS USED 


Our primary purpose in collecting personal information is to provide you with a secure, smooth, efficient, and customized 
experience. We generally use personal information to create, develop, operate, deliver, and improve our Services, content 
and advertising; and for loss prevention and anti-fraud purposes. We may use this information in the following ways: 


1) To maintain Legal and regulatory compliance 


Most of our core Services are subject to laws and regulations requiring us to collect, use, and store your personal 
information in certain ways. For example, CB must identify and verify customers using our Services in order to comply 
with anti-money laundering laws across jurisdictions. This includes collection and storage of your photo identification. In 
addition, we use third parties to verify your identity by comparing the personal information you provide against third- 
party databases and public records. When you seek to Link a bank account to your CB Account, we may require you to 
provide additional information which we may use in collaboration with service providers acting on our behalf to verify 
your identity or address, and/or to manage risk as required under applicable Law. If you do not provide personal 
information required by Law, we will have to close your account. 


2) To enforce our terms in our user agreement and other agreements 


CB handles sensitive information, such as your identification and financial data, so it is very important for us and our 
customers that we actively monitor, investigate, prevent, and mitigate any potentially prohibited or illegal activities, 
enforce our agreements with third parties, and/or prevent and detect violations of our posted user agreement or 
agreements for other Services. In addition, we may need to collect fees based on your use of our Services. We collect 
information about vour account usaae and closelv monitor vour interactions with our Services. We mav use anv of vour 


Market Data 


Trading Rules FAQ 
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4) To provide Coinbase's Services 


We process your personal information to provide the Services to you. For example, when you want to store funds on our 
platform, we require certain information such as your identification, contact information, and payment information. We 
cannot provide you with Services without such information. Third parties such as identity verification services may also 
access and/or collect your personal information when providing identity verification and/or fraud prevention services. 


5) To provide Service communications 


We send administrative or account-related information to you to keep you updated about our Services, inform you of 
relevant security issues or updates, or provide other transaction-related information. Without such communications, you 
may not be aware of important developments relating to your account that may affect how you can use our Services. You 
may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal or 
security purposes. 


6) To provide customer service 


We process your personal information when you contact us to resolve any questions, disputes, collect fees, or to 
troubleshoot problems. Without processing your personal information for such purposes, we cannot respond to your 
requests and ensure your uninterrupted use of the Services. 


7) To ensure quality control 


We process your personal information for quality control and staff training to make sure we continue to provide you with 
accurate information. If we do not process personal information for quality control purposes, you may experience issues 
on the Services such as inaccurate transaction records or other interruptions. 


8) To ensure network and information security 


We process your personal information in order to enhance security, monitor and verify identity or service access, combat 
spam or other malware or security risks and to comply with applicable security laws and regulations. The threat 
landscape on the internet is constantly evolving, which makes it more important than ever that we have accurate and up- 
to-date information about your use of our Services. Without processing your personal information, we may not be able to 
ensure the security of our Services. 


9) For research and development purposes 


We process your personal information to better understand the way you use and interact with Coinbase's Services. In 
addition, we use such information to customize, measure, and improve Coinbase's Services and the content and Layout of 
our website and applications, and to develop new services. Without such processing, we cannot ensure your continued 
enjoyment of our Services. 


10) To enhance your experience 


We process your personal information to provide a personalized experience, and implement the preferences you request. 
For example, you may choose to provide us with access to certain personal information stored by third parties. Without 
such processing, we may not be able to ensure your continued enjoyment of part or all of our Services. 


11) To facilitate corporate acquisitions, mergers, or transactions 


We may process any information regarding your account and use of our Services as is necessary in the context of 
corporate acquisitions, mergers, or other corporate transactions. 


12) To engage in marketing activities 


Based on your communication preferences, we may send you marketing communications (e.g. emails or mobile 
notifications) to inform you about our events or our partner events; to deliver targeted marketing; and to provide you with 
promotional offers. Our marketing will be conducted in accordance with your advertising marketing preferences and as 
permitted by applicable law. 


13) To protect the health and safety of our employees and visitors, our facilities and our property and other rights. If you 
visit one of our locations, to maintain security at such Locations you may be photographed or videotaped. 


14) For any purpose that you provide your consent. 


We will not use your personal information for purposes other than those purposes we have disclosed to you, without your 
permission. From time to time, and as required under the applicable Law, we may request your permission to allow us to 
share your personal information with third parties. In such instances, you may opt out of having your personal information 
shared with third parties, or allowing us to use your personal information for any purpose that is incompatible with the 
purposes for which we originally collected it or subsequently obtained your authorization. If you choose to limit the use of 
your personal information, certain features or CB Services may not be available to you. 


6. LEGAL BASES FOR PROCESSING YOUR INFORMATION 


For individuals who are located in the European Economic Area, the United Kingdom or Switzerland (collectively “EEA 
Residents") at the time their personal information is collected, our legal bases for processing your information under the 
EU General Data Protection Regulation (“GDPR") will depend on the personal information at issue, the specific context in 
the which the personal information is collected and the purposes for which it is used. We generally only process your data 
where we are Legally required to, where processing is necessary to perform any contracts we entered with you (or to take 
steps at your request prior to entering into a contract with you), where processing is in our legitimate interests to operate 
our business and not overridden by your data protection interests or fundamental rights and freedoms, or where we have 
obtained your consent to do so. In some rare instances, we may need to process your personal information to protect your 
vital interests or those of another person. Below is a list of how CB uses your personal information, as described above in 
Section 5, with the corresponding legal bases for processing. If you have questions about or need further information 
concerning the legal basis on which we collect and use your personal information, please contact us using the contact 
details provided under the "How to contact us" heading below. 


Section & Purpose of Processing Legal Bases for Processing 
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customer service (7) To ensure quality control 


Based on our legitimate interests. When we process 
your personal data for our legitimate interests we 
always ensure that we consider and balance any 
potential impact on you and your rights under data 
protection laws. 


(9) For research and development purposes (10) To 
enhance your experience (11) To facilitate corporate 
acquisitions, mergers, or transactions (12) To engage 
in direct marketing activities 


(1) To maintain Legal and regulatory compliance (3) To 
detect and prevent fraud and/or funds Loss (8) To Based on our legal obligations, the public interest, or 
ensure network and information security (13) To in your vital interests. 

protect your or our’s vital interests 


(10) To enhance your experience (12) To engage in third 
party marketing activities (14) For any purpose to Based on your consent. 
which you consent 


7. WHY WE SHARE PERSONAL INFORMATION WITH OTHER PARTIES 


We take care to allow your personal information to be accessed only by those who require access to perform their tasks 
and duties, and to share only with third parties who have a legitimate purpose for accessing it. CB will never sell or rent 
your personal information to third parties without your explicit consent. We will only share your information in the 
following circumstances: 


@ With third party identity verification services in order to prevent fraud. This allows CB to confirm your identity by 
comparing the information you provide us to public records and other third party databases. These service providers 
may create derivative data based on your personal information that can be used in connection with the provision of 
identity verification and fraud prevention services. For example: 


© We may use Jumio Corporation or Jumio UK, Limited (collectively “Jumio”) to verify your identity by determining 
whether a selfie you take matches the photo in your government issued identity document. The information 
collected from your photo may include biometric data. Jumio's Privacy Policy, available at 
https://www.jumio.com/Legal-information/privacy-policy/jumio-inc-privacy-policy-for-online-services/, 
describes its collection and use of personal information. 


© For Germany users, we may use SolarisBank AG (“Solarisbank”) to verify your identity through verification of 
identifiable personal information. The information collected from you may include biometric data. Solarisbank’s 
Privacy Policy, available at https://www.solarisbank.com/en/privacy-policy/, describes its collection and use of 
personal information. 


© We may use Sift Science, Inc. (“Sift”) to detect and prevent fraudulent activity on your account in real time. 
Information shared with Sift is treated by Sift in accordance with its Privacy Policy, available at 
https://sift.com/service-privacy. 


© If you are based in the US, CB may use Plaid, Inc. ("Plaid") to connect your Coinbase account with your bank 
account, verify your bank account and confirm your bank account balance prior to approving a transaction. 
Information shared with Plaid is treated by Plaid in accordance with its Privacy Policy, available at 
https://plaid.com/legal/#end-user-privacy-policy. 


®@ With financial institutions with which we partner to process payments you have authorized. 


@ With service providers under contract who help with parts of our business operations. Our contracts require these 
service providers to only use your information in connection with the services they perform for us, and prohibit them 
from selling your information to anyone else. Examples of the types of service providers we may share personal 
information with (other than those mentioned above) include: 


© Network infrastructure 
© Cloud storage 

© Payment processing 

© Transaction monitoring 
© Security 

© Document repository services 
© Customer support 

° Internet (e.g. ISPs) 

© Data analytics 

° Information Technology 
© Marketing 


®@ With companies or other entities that we plan to merge with or be acquired by. You will receive prior notice of any EXHIBIT A 


change in applicable policies. 
23 /34 


@ With companies or other entities that purchase CB assets pursuant to a court-approved sale or where we are required 


Enerantinn ey sani lias ABalinahias 


~ Case 1:23-cv-01408-ADA-HBK Document 1-2 Filed 09/26/23 Page 24 " ez 


User Agreement Privacy Policy Prohibited Use Policy Cookie Policy Licenses Insurance 


@ With law enforcement, officials, or other third parties when we are compelled to do so by a subpoena, court order, or 
similar legal procedure, or when we believe in good faith that the disclosure of personal information is necessary to 
prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our User 
Agreement or any other applicable policies. 


@ We share personal information about you with our Affiliates as a normal part of conducting business and offering 
Services to you. 


Where we believe it is necessary in order to protect the vital interests of any person. If you establish a CB Account 
indirectly on a third party website or via a third party application, any information that you enter on that website or 
application (and not directly on a CB website) will be shared with the owner of the third party website or application and 
your information will be subject to their privacy policies. For more information see the “Third-Party Sites and Services” 
section below. 


8. SPECIAL PROVISIONS RELATING TO COINBASE CARD USERS 


If you sign up to use the Digital Currency backed debit card Service (the “Coinbase Card”) provided by CB via the 
dedicated app for that Service (the “Coinbase Card App”), we will process your personal information in accordance with 
this Policy. 


In order to provide the Coinbase Card Service to you, we have partnered with Paysafe Financial Services Limited and 
Paysafe Payment Solution Limited (collectively “Paysafe”). Paysafe is the issuer of the Coinbase Card and is a member of 
the Visa card scheme, which will be used to enable your Coinbase Card to operate as a normal debit card. When you sign 
up on the Coinbase Card App you agree to Paysafe's own terms and conditions and Privacy Policy (available at 
https://www.paysafe.com/paysafegroup/privacy-policy/), and as a result Paysafe will be an independent data controller in 
relation to the personal information they collect and hold relating to you. 


We may at times need to share some of your personal information that we control with Paysafe to enable us and Paysafe 
to provide you with the Coinbase Card Service. Where we do this, Paysafe will act as a data processor and only process 
your personal information to the extent necessary to enable us and Paysafe to provide the Coinbase Card Service to you. 


9. HOW WE PROTECT AND STORE PERSONAL INFORMATION 


We understand how important your privacy is, which is why CB maintains (and contractually requires third parties it shares 
your information with to maintain) appropriate physical, technical and administrative safeguards to protect the security 
and confidentiality of the personal information you entrust to us. 


We may store and process all or part of your personal and transactional information, including certain payment 
information, such as your encrypted bank account and/or routing numbers, in the US and elsewhere in the world where 
our facilities or our service providers are located. We protect your personal information by maintaining physical, 
electronic, and procedural safeguards in compliance with the applicable laws and regulations. 


For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to 
our buildings and files, and we authorize access to personal information only for those employees who require it to fulfill 
their job responsibilities. Full credit card data is securely transferred and hosted off-site by payment vendors like 
Worldpay, (UK) Limited, Worldpay Limited, or Worldpay AP Limited (collectively “Worldpay”) in compliance with Payment 
Card Industry Data Security Standards (PCI DSS). This information is not accessible to CB or Coinbase staff. For more 
information about how Worldpay stores and uses your information, please see Worldpay's Privacy Policy at 
https://www.worldpay.com/uk/worldpay-privacy-notice. 


However, we cannot guarantee that loss, misuse, unauthorized acquisition, or alteration of your data will not occur. Please 
recognize that you play a vital role in protecting your own personal information. When registering with our Services, it is 
important to choose a password of sufficient length and complexity, to not reveal this password to any third-parties, and 
to immediately notify us if you become aware of any unauthorized access to or use of your account. 


Furthermore, we cannot ensure or warrant the security or confidentiality of information you transmit to us or receive from 
us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information 
once it Leaves and until it reaches us. If you have reason to believe that your data is no Longer secure, please contact us 
using the contact information provided in the “How to contact us” section below. 


10. RETENTION OF PERSONAL INFORMATION 


We store your personal information securely throughout the Life of your CB Account. We will only retain your personal 
information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of 
satisfying any legal, accounting, or reporting obligations or to resolve disputes. While retention requirements vary by 
jurisdiction, information about our typical retention periods for different aspects of your personal information are 
described below. 


@ Personal information collected to comply with our legal obligations under financial or anti-money laundering laws 
may be retained after account closure for as long as required under such laws. 


® Contact Information such as your name, email address and telephone number for marketing purposes is retained on 
an ongoing basis until you unsubscribe. Thereafter we will add your details to our suppression list to ensure we do not 
inadvertently market to you. 


® Content that you post on our website such as support desk comments, photographs, videos, blog posts, and other 
content may be kept after you close your account for audit and crime prevention purposes (e.g. to prevent a known 
fraudulent actor from opening a new account). 


®@ Recording of our telephone calls with you may be kept for a period of up to six years. 


@ Information collected via technical means such as cookies, webpage counters and other analytics tools is kept for a 
period of up to one year from expiry of the cookie. 
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transactions using CB Services. Please note that third parties you interact with may have their own privacy policies, and 
CB is not responsible for their operations or their use of data they collect. Information collected by third parties, which 
may include such things as contact details, financial information, or location data, is governed by their privacy practices 
and Coinbase is not responsible for unauthorized third-party conduct. We encourage you to learn about the privacy 
practices of those third parties. 


Examples of account connections include: 


@ Merchants: If you use your CB account to conduct a transaction with a third party merchant, the merchant may 
provide data about you and your transaction to us. 


®@ Your Financial Services Providers: For example, if you send us funds from your bank account, your bank will provide us 
with identifying information in addition to information about your account in order to complete the transaction. 


Information that we share with a third party based on an account connection will be used and disclosed in accordance 
with the third party's privacy practices. Please review the privacy notice of any third party that will gain access to your 
personal information. Coinbase is not responsible for such third party conduct. 


12. CHILDREN'S PERSONAL INFORMATION 


We do not knowingly request to collect personal information from any person under the age of 18. If a user submitting 
personal information is suspected of being younger than 18 years of age, CB will require the user to close his or her 
account and will not allow the user to continue using our Services. We will also take steps to delete the information as 
soon as possible. Please notify us if you know of any individuals under the age of 18 using our Services so we can take 
action to prevent access to our Services. 


13. INTERNATIONAL TRANSFERS 


To facilitate our global operations, CB may transfer, store, and process your personal information within our Affiliates, 
third-party partners, and service providers based throughout the world, including Ireland, Germany, Singapore, Japan, the 
UK, the US, the Philippines, and possibly other countries. We will protect your personal information in accordance with 
this Privacy Policy wherever it is processed and will take appropriate contractual or other steps to protect the relevant 
personal information in accordance with applicable laws. We contractually obligate recipients of your personal 
information to agree to at least the same level of privacy safeguards as required under applicable data protection laws. By 
communicating electronically with CB, you acknowledge and agree to your personal information being processed in this 
way. 


If you have a complaint about our privacy practices and our collection, use or disclosure of personal information please 
submit your request via our Support Portal. 


Data transferred out of the EU 


We rely primarily on the European Commission’s Standard Contractual Clauses to facilitate the international and 
onward transfer of personal information collected in the European Economic Area ("EEA"), the United Kingdom and 
Switzerland (collectively “European Personal Information”), to the extent the recipients of the European Personal 
Information are located in a country that the EU considers to not provide an adequate Level of data protection. This 
includes transfers from our EU-based CB operating entities to our US-based operating entity, Coinbase, Inc. We may also 
rely on an adequacy decision of the European Commission confirming an adequate Level of data protection in the 
jurisdiction of the party receiving the information, or derogations in specific situations. 


Coinbase, Inc. is responsible for the processing of personal information it receives and subsequently transfers to a third 
party acting as an agent on its behalf. Before we share your information with any third party, Coinbase, Inc. will enter into 
awritten agreement that the third party provides at least the same level of protection for the personal information as 
required under applicable data protection laws. 


Coinbase, Inc., also participates in and has certified its compliance with the EU-US Privacy Shield Framework. Under the 
Privacy Shield Framework, Coinbase, Inc. is subject to the authority of the Federal Trade Commission. To learn more about 
the Privacy Shield Framework, visit the U.S. Department of Commerce's Privacy Shield List at 
https://www.privacyshield.gov. 


European data subjects with inquiries or complaints relating to our Privacy Shield certifications should first contact CB 
via our Support Portal or by emailing dpo@coinbase.com. If we are unable to resolve your complaint or dispute, you may 
refer your complaint to our designated independent dispute resolution mechanism, the International Centre for Dispute 
Resolution ("ICDR"), operated by the American Arbitration Association ("AAA"). For more information and to file a 
complaint, you may contact the International Centre for Dispute Resolution by phone at +1.212.484.4181, or by visiting the 
website https://go.adr.org/privacyshield.html. 


If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke 
binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at 
https://www.privacyshield.gov/article?id=ANNEX-I-ntroduction. 


14. YOUR PRIVACY RIGHTS AND CHOICES 


Depending on applicable law where you reside, you may be able to assert certain rights related to your personal 
information identified below. If any of the rights listed below are not provided under Law for your operating entity or 
jurisdiction, CB has absolute discretion in providing you with those rights. 


Your rights to personal information are not absolute. Depending upon the applicable law, access to your rights under the 
applicable law may be denied: (a) when denial of access is required or authorized by law; (b) when granting access would 
have a negative impact on another's privacy; (c) to protect our rights and properties; (d) where the request is frivolous or 
vexatious, or for other reasons. 


®@ Access and portability. You may request that we provide you a copy of your personal information held by us. This 
information will be provided without undue delay subject to a potential fee associated with gathering of the 
information (as permitted by law), unless such provision adversely affects the rights and freedoms of others. In 
certain circumstances, you may request to receive your personal information in a structured, commonly used and 
machine-readable format, and to have us transfer your personal information directly to another data controller. 
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request to erase, in our database for a period of time as described above. This is necessary to deter fraud, by ensuring 

that persons who try to commit fraud will not be able to avoid detection simply by closing their account and opening a 
new account, and to comply with CB's legal obligations. However, if you close your account, your personal information 
will not be used by us for any further purposes, nor shared with third parties, except as necessary to prevent fraud and 
assist law enforcement, as required by Law, or in accordance with this Privacy Policy. 


@ Withdraw consent. To the extent the processing of your personal information is based on your consent, you may 
withdraw your consent at any time. Your withdrawal will not affect the lawfulness of CB's processing based on 
consent before your withdrawal. 


®@ Restriction of processing. In some jurisdictions, applicable law may give you the right to restrict or object to us 
processing or transferring your personal information under certain circumstances. We may continue to process your 
personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by 
applicable law. 


@ Automated individual decision-making, including profiling. CB relies on automated tools to help determine whether a 
transaction or a customer account presents a fraud or legal risk. In some jurisdictions, you have the right not to be 
subject to a decision based solely on automated processing of your personal information, including profiling, which 
produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data 
protection laws. 


@ Marketing communications. You can opt-out of receiving marketing communications from CB. Direct marketing 
includes any communications to you that are only based on advertising or promoting our products and services. We 
will only contact you by electronic means (email or SMS) based on our legitimate interests, as permitted by applicable 
law, or your consent. If you do not want us to send you marketing communications, please go to your account settings 
to opt-out or submit a request via our Support Portal. 


© For users in the European Economic Area, the United Kingdom and Switzerland: To the extent we can rely on 
legitimate interest under the applicable Law, we will only send you information about our Services that are similar 
to those which were the subject of a previous sale or negotiations of a sale to you. We will contact you by 
electronic means for marketing purposes only if you have consented to such communication. You may raise such 
objections with regard to initial or further processing for purposes of direct marketing, at any time and free of 
charge. 


How to make a privacy request 


You can make privacy rights requests relating to your personal information by going to your Privacy Rights Dashboard or, if 
you cannot access the Dashboard, by contacting us via our Support Portal. Our Privacy Rights Dashboard also allows you 
to set your communication preferences and make individual rights requests relating to your personal information. We 
strongly encourage you to make any individual rights requests through the Privacy Rights Dashboard because it ensures 
that you have been authenticated already (based on the KYC information you have provided to open your account and by 
providing the necessary login credentials and multi-factor authentication to access the account). Otherwise, when we 
receive an individual rights request via other intake methods, we may take steps to verify your identity before complying 
with the request to protect your privacy and security. 


How to lodge a complaint 


f you believe that we have infringed your rights, we encourage you to first submit a request via our Support Portal so that 
we can try to resolve the issue or dispute informally. If that does not resolve your issue, you may contact the CB Data 
Protection Officer at dpo@coinbase.com. 


f you reside in the EU, you can file a complaint with the International Centre for Dispute Resolution by phone at 
+1.212.484.4181, or by visiting the website http://info.adr.org/safeharbor, or your relevant data protection authority. 


n the UK, the relevant data protection authority is Information Commissioner's Office, Wycliffe House, Water Lane, 
Wilmslow, Cheshire, SK9 5AF, 0303 123 1113, casework@ico.org.uk. 


n Ireland, the relevant data protection authority is the Data Protection Commission, Canal House, Station Road, 
Portarlington, R32 AP23 Co. Laois; phone: +353 (0761) 104 800; LoCall: 1890 25 22 31; Fax: +353 57 868 4757; email: 
info@dataprotection.ie 


15. CALIFORNIA PRIVACY RIGHTS 


In addition to the rights provided for above, if you are a California resident, you have the right to request information from 
us regarding whether we share certain categories of your personal information with third parties for the third parties' 
direct marketing purposes. To the extent we share you personal information in this way, you may receive the following 
information: 


@ the categories of information we disclosed to third parties for the third parties' direct marketing purposes during the 
preceding calendar year; and 


@ the names and addresses of third parties that received such information, or if the nature of their business cannot be 
determined from the name, then examples of the products or services marketed. 


Pursuant to the California Consumer Privacy Act of 2018 (“CCPA"), California residents have certain rights in relation to 
their personal information, subject to limited exceptions. Any terms defined in the CCPA have the same meaning when 
used in this California Privacy Rights section. This section describes the categories of personal information CB has 
collected, the categories of personal information CB has disclosed, and a description of California residents’ rights. 


Categories of Personal Information Collected 


The chart below described the categories of personal information CB has collected in the preceding 12 months, the 
sources and purpose of such collection, and the parties to whom the information was shared for business purposes. 
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A Disclosure of Personal 
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Personal Information Category 
(corresponds to categories in 
CCPA §1798.140(0)(1)) 


and Why We Collect this 
Information (see Section 5 above 
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Information (see “Why We Share 
Personal Information With Other 
Parties” heading above for more 
information) 
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User Agreement 


Privacy Policy 


Prohibited Use Policy 


Cook e Pol cy L censes 


Insurance 


(A) Identifiers such as Personal 
Identification Information 


Information you provide us; 
Information collected from third 
parties; Why we collect this 
information: see Section 5, 
subsections 1, 2, 3, 4, 5, 6, 8, 9, 11, 
and 12 


- Third party identity verification 
services - Financial institutions - 
Service providers - Professional 
advisors - our Affiliates 


(B) Customer records such as 
signature 


Information you provide us; 
Information collected from third 
parties; Why we collect this 
information: see Section 5, 
subsections 1, 2, 5, 6, and 11 


- Third party identity verification 
services - Financial institutions - 
Service providers 


(C) Protected classifications under 
California and federal law, 
including gender, age and 
citizenship 


Information you provide us; 
Information collected from third 
parties; Why we collect this 
information: see Section 5, 
subsection 1 


- Third party identity verification 
services - Professional advisors 


(D) Commercial information such 
as records of services purchased, 
obtained, or considered 


Information you provide us; 
Information we collect from you 
automatically; Information 
collected from third parties; Why 
we collect this information: see 
Section 5, subsections 3, 4, 5, 6, 8, 
9,10, 11 and 12 


- Third party identity verification 
services - Financial institutions - 
Service providers - Professional 
advisors - our Affiliates 


(E) Biometric information 


Information you provide us; Why 
we collect this information: see 
Section 5, subsection 1 


- Third party identity verification 
services - Financial institutions 


(F) Usage Data 


Information we collect from you 
automatically; Why we collect this 
information: see Section 5, 
subsections 2, 3, 4, 6, 7, 8, 9, 10, and 
12 


- Third party identity verification 
services - Service providers - 
Professional advisors - our 
Affiliates 


(G) Online Identifiers 


Information we collect from you 
automatically; Why we collect this 
information: see Section 5, 
subsections 1, 3, 9 and 12 


- Third party identity verification 
services - Service Providers 


(H) Sensory data, such audio, 
electronic, visual information 


Information you provide to us; Why 
we collect this information: see 
Section 5, subsections 3, 4,5 and 7 


Not applicable 


(I) Professional or employment- 
related information 


Information you provide us; 
Information collected from third 
parties; Why we collect this 
information: see Section 5, 
subsections 1, 12 


- Third party identity verification 
services - Service providers - our 
Affiliates 


(J) Inferences about preferences, 
characteristics, predispositions, 
etc. 


Information you provide us; 
Information we collect from you 
automatically; Why we collect this 
information: see Section 5, 
subsections 9, 10, 12 


- Service providers - Professional 
advisors - our Affiliates 
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California Residents’ Rights 


Under the CCPA, you may have the following consumer rights. Please note that these rights are not absolute and in 
certain cases are subject to conditions or limitations as specified in the CCPA: 


@ For personal information collected by us during the preceding 12 months preceding your request that is not otherwise 
subject to an exception, California residents have the right to access and delete their personal information. CB will 
not discriminate against those who exercise their rights. Specifically, if you exercise your rights, we will not deny you 
services, charge you different prices for services or provide you a different level or quality of services. 


© To the extent we sell your personal information to third parties, you also have the right to request that we disclose to 
you: (i) the categories of your personal information that we sold, and (ii) the categories of third parties to whom your 
personal information was sold. You have the right to direct us not to sell your personal information. CB does not sell 
your personal information in its ordinary course of business and will never sell your personal information to third 
parties without your explicit consent. 


Should CB engage in any of the activities listed in this section, your ability to exercise these rights will be made available 
to you in your account settings. You can exercise your rights by going to your Privacy Rights Dashboard or contacting us 
via our Support Portal so that we may consider your request. 


We will need to verify your identity before processing your request. In order to verify your identity, we will generally either 
require the successful login to your account or the matching of sufficient information you provide us to the information 
we maintain about you in our systems. Although we try to Limit the personal information collected in connection witha 
request to exercise your rights, certain requests may require us to obtain additional personal information from you. In 
certain circumstances, we may decline a request to exercise the right to know and right to deletion, particularly where we 
are unable to verify your identity. 
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authorized by you to act on their behalf, or are unable to verify their identity. 


Do Not Track 


Some Internet browsers - like Internet Explorer, Firefox, and Safari - include the ability to transmit "Do Not Track" or "DNT" 
signals. Since uniform standards for "DNT" signals have not been adopted, we do not currently process or respond to 


"DNT" signals. 


16. HOW TO CONTACT US 


If you have questions or concerns regarding this Privacy Policy, or if you have a complaint, please contact us on our 
Support page, at dpo@coinbase.com, or by writing to us at the address of your operating entity (provided above). 
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Legal 


Coinbase Cookie Policy 


Effective Date: October 1, 2021 


This Cookie Policy explains how Coinbase, Inc. and its group companies ("Coinbase", "we", "us" and "our") use cookies and similar technologies when you visit our websites located at 
coinbase.com, exchange.coinbase.com, prime.coinbase.com custody.coinbase.com, or any other websites, pages, features, or content we own or operate (collectively, the "Site(s)"), when 
you use the Coinbase mobile app, and/or when you interact with Coinbase online advertisements or marketing emails (collectively the "Services"). It explains what these technologies are 
and why we use them, as well as your rights to control our use of them. 


In some cases, we may use cookies and similar technologies to collect personal information, or information that becomes personal information if we combine it with other information. In 
such cases the Coinbase Global Privacy Policy will apply in addition to this Cookie Policy. 


If you have any questions about our use of cookies or other technologies, please submit your request via our Support Portal at 
https://support.coinbase.com/customer/portal/emails/new. 


WHAT ARE COOKIES? 


Cookies are small files, typically of letters and numbers, downloaded onto your computer or mobile device when you visit certain websites. When you return to these websites, or visit 
other websites that use the same cookies, the websites recognize these cookies and your browsing device. A cookie cannot read data off your hard drive or read cookie files created by 
other websites. 


Cookies set by the website operator are called "first party cookies". Cookies set by parties other than the website operator are called "third party cookies". The parties that set third 
party cookies can recognize your web browser both when it visits the Coinbase website and when it visits certain other websites where the third party's cookies are also present. 


More information on cookies and their use can be found at www.aboutcookies.org or www.allaboutcookies.org. 


WHY DO WE USE COOKIES? 


When you access our Sites and Services, we or companies we work with may place cookies on your computer or other device. These technologies help us better understand user behavior, 
and inform us about which parts of our websites people have visited. 


We use first party and third party cookies to recognize you as a Coinbase customer, customize Coinbase Services, content, and advertising, to measure promotional effectiveness, and to 
collect information about your computer or other access device to mitigate risk, help prevent fraud, and promote trust and safety. 


We may place cookies from third-party service providers who may use information about your visits to other websites to target advertisements for products and services available from 
Coinbase. We do not control the types of information collected and stored by these third-party cookies. You should check the third-party's website for more information on how they use 
cookies. 


The following are some examples of information that we collect and how we may use it: 


@ We may collect and store details of how you use our Sites and Services. Except in Limited instances to ensure quality of our Services over the Internet, such information will not be 
associated with your IP address. 


@ We may collect information such as your language, inferred zip code or area code, unique device identifier, referrer URL, location, and time zone so that we can better understand 
customer behavior and improve our Services. 


@ We may collect information regarding customer activities on our websites and platforms, which is used to understand which parts of our Sites and Services are of most interest. This 
data is aggregated, and thus is considered non-personal information for the purposes of this Cookie Policy and our Global Privacy Policy. 


WHAT TYPES OF COOKIES DO WE USE? 
EXHIBIT A 


29/34 


We use the following types of cookies: 


Strictly Necessary Cookies 


These cookies are necessary for the Sites to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request 
for services, such as setting your privacy preferences, Logging in, or filling in forms. These also include cookies we may rely on for fraud prevention. You can set your browser to block or 
alert you about these cookies, but some parts of the site will not then work. 


Performance/Analytics Cookies 
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Sites. They help us to know which pages are the most and least popular 


and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you 
have visited our site, and will not be able to monitor its performance. 


ef a ade 
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Coinbase uses third party service providers to display advertising on our Services and serve advertising on other third party sites that may be relevant to you or your interests. These 
cookies are also used to help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information may be shared with other 
organizations, such as advertisers. This means that after you have been to our websites, you may see some advertisements about our Services elsewhere on the Internet. The information 
collected through this process by the third party service providers does not enable us or them to identify your name, contact details or other personal information that directly identifies 
you unless you choose to provide these. Such advertising will only be delivered where permitted by applicable law. If you do not allow these cookies, you will experience less advertising 
tailored to your inferred interests on our Sites and will not receive targeted Coinbase advertisements on third party websites. 


HOW LONG WILL COOKIES STAY ON MY BROWSING DEVICE? 


The length of time a cookie will stay on your browsing device depends on whether it is a "persistent" or "session" cookie. Session cookies will only stay on your device until you close your 
browser. Persistent cookies stay on your browsing device until they expire or are deleted. 


WHAT OTHER SIMILAR TECHNOLOGIES DOES COINBASE USE? 


In addition to cookies, we may use other similar technologies, like web beacons to track users of our Sites and Services. Web beacons, or "clear gifs," are tiny graphics with a unique 
identifier, similar in function to cookies. They are used to track the online movements of web users. 


In contrast to cookies, which are stored on a user's computer hard drive or device, clear gifs are embedded invisibly on web pages and are about the size of the period at the end of this 
sentence. We and our third-party service provider employ web beacons for the reasons stated above (under "Cookies"), but primarily to help us better manage content on our Services by 
informing us which content is effective. 


We may also use so-called "Flash Cookies" (also known as "Local Shared Objects or "LSOs") to collect and store information about your use of our services, fraud prevention and for other 
site operations. 


HOW TO MANAGE COOKIES, SIMILAR TECHNOLOGIES AND TARGETED ONLINE MOBILE ADVERTISING 


You have the right to decide whether to accept cookies. You can exercise your preferences in relation to cookies served on our Sites by taking the steps outlined below. 


Cookies. You can enable or disable categories of cookies by visiting our Cookie Consent Manager. This includes both first party and third party cookies. You can also use the browser 
with which you are viewing this website to enable, disable or delete cookies. To do this, follow the instructions provided by your browser (usually Located within the "Help", "Tools" or 
"Edit" settings), or review the instructions provided by the browsers Listed here: Internet Explorer, Google Chrome, Mozilla Firefox, Safari Desktop, Safari Mobile, and Android browser. 
Please note, if you set your browser to disable cookies, you may not be able to access secure areas of the Sites and Services. Also, if you disable cookies other parts of the Services 
may not work properly. You can find more information about how to change your browser cookie settings at http://www.allaboutcookies.org. 


There are also additional tools available to manage third party cookies. Many advertising companies that collect information for interest-based advertising are members of the Digital 
Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), both of which maintain websites where individuals can opt out of interest-based advertising from their 
members. To opt-out of website interest-based advertising provided by each organization's respective participating companies, visit the DAA’s opt-out portal available 

at http://optout.aboutads.info/, the DAA of Canada's opt-out portal available at https://youradchoices.ca/en/tools, or visit the NAI's opt-out portal available 

at http://optout.networkadvertising.org/?c=1. Residents of the European Union may opt-out of online behavioral advertising served by the European Interactive Digital Advertising 
Alliance's participating member organizations by visiting https://www.youronlinechoices.eu/. 


Mobile Advertising: You can opt out of having your mobile advertising identifiers used for certain types of advertising by accessing the appropriate settings in your mobile device and 
following the instructions. If you opt-out, we will remove all data about you and will not collect any further data. The random ID previously assigned to you will be removed. Thus, if at 
a later stage, you decide to opt-in, we will be unable to continue and track you using the prior ID and you will for all practical purposes be a new user. For iOS devices, to limit interest- 
based ad tracking, go to Settings > Privacy > Advertising > Turn on “Limit Ad Tracking.” For Android devices, go to Settings > Google services > Ads > Turn on “Opt out of Ads 
Personalization." For iOS and Android, you can also reset the advertising identifier that is currently assigned to you. 


To opt-out of data collection for interest-based advertising across mobile applications by participating companies, download the DAA’s AppChoices mobile application opt-out 
offering here: https://youradchoices.com/appchoices. 


Do Not Track: Some Internet browsers - like Internet Explorer, Firefox, and Safari - include the ability to transmit "Do Not Track" or "DNT" signals. Since uniform standards for "DNT" 
signals have not been adopted, our Sites do not currently process or respond to "DNT" signals. 


Flash Cookies. If you do not want Flash Cookies stored on your computer, you can adjust the settings of your Flash player to block Flash Cookies storage using the tools contained in 
the website storage settings panel, available here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.htmL. You can also control Flash 


Cookies by going to the global storage settings panel and following the instructions. Setting the Flash Player to restrict or limit acceptance of Flash Cookies may reduce or impede 
the functionality of some Flash applications, including, potentially, Flash applications used in connection with our services or online content. 


WILL THIS COOKIE POLICY BE UPDATED? 


We may update this Cookie Policy from time to time to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. We review cookies every 
30 days to ensure accurate reflection of all cookies in this policy. If we do, you will be notified when you first visit our website after the change. You can also revisit this page if you wish 
to keep yourself informed. 


APPENDIX A: Cookie Table 


We may update this Cookie Policy from time to time to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. If we do, you will be 
notified when you first visit our website after the change. You can also revisit this page if you wish to keep yourself informed. 


Internal Cookies and Technologies 


The following are first-party cookies used on properties including coinbase.com and other domains operated by Coinbase. 


We use our own and third-party cookies on our websites to enhance your experience, analyze traffic, and 
for security and marketing. For more info or to modify cookies, see our Cookie Policy or go to Manage settings Dismiss 


Manage Settings. 
EXHIBIT A 
| CB-CLIENT | Support website performance | 2 years 30 ‘34 


| cb-rfm | Support website performance | 10 seconds 
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BES te ee enabled in the browser. 2° 
cf_chl_re_i This cookie is for internal use which allows Cloudflare Session 

to identify production issues on clients. 

__cfduid Security Purposes 30 days 
cf_ob_info Security Purposes 1 minutes 
cf_use_ob Security Purposes year 
_coinbase_lax Security Purposes Session 
_coinbase_session Security Purposes 30 days 
_coinbase_strict Security Purposes Session 
__cf_bm Bot management 30 minutes 
coinbase_device_id Device identification and testing O years 
coinbase_locale Sets default locale/language Session 
df Security and fraud monitoring O years 
df2 Security and fraud monitoring O years 
dtcookie Used to identify user sessions. Session 
hide_cookies_message Support website display year 
hide_android_banner Support website display year 
japan_bespoke_content Used for Japan testing 2 years 
jwt Authentication of users 30 days 
logged_in User routing 30 days 
sft Security purposes Session 
__ssid Security purposes 4 years 
user_agent Used for attributing paid marketing 2 years 
utm Conversion tracking 30 minutes 
utm_raw Used for attributing paid marketing 2 years 
x-Login-id Security purposes Session 
x-uuid Security purposes 2 years 
_parsely_visitor User routing 2 years 
coinbase_currency User routing 2 years 


Third-party cookies 


The following are third-party cookies. 


Name Purpose Retention Domain 
ajs_anonymous_id Visitor tracking lyear Segment 
ajs_group_id Analytics tracking lyear Segment EXHIBIT A 
ajs%3Acookies Service and website performance lyear Segment 3 1/34 
ajs%3Atest Website visitor tracking lyear Segment 

4 Pe 5 Adobe Experience League - Experience 
AMCV_regex Website visitor tracking 2 years Cloud Coskies 

: wes i Amplitude - overview of privacy and 
amp_regex Website visitor tracking 2 years safeguarding data 
amplitude_id-regex Manages user tracking settings Session Ainptitude = overview -GhDrvasy anid 


safeguarding data 


To provide website usage analytics for 
_ga security, monitoring, and capacity 2 years 
review 


Universal Analytics (Google) - overview 
of privacy and safeguarding data 


To provide website usage analytics for 
_gac_UA-regex security, monitoring, and capacity 30 seconds 
review 


Universal Analytics (Google) - overview 
of privacy and safeguarding data 
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_gat security, monitoring, and capacity 10 minutes of prvacyand eafequarding data 
review 
For web personalization and conversion Universal Analytics (Google) - overview 
_gcl_aw A 90 days 2 
tracking of privacy and safeguarding data 
= - provide website eee analytics _ Universal Analytics (Google) - overview 
_gid security, monitoring, and capacity iday 5 : 
: of privacy and safeguarding data 
review 
JSESSIONID Application performance analytics Session bie aes caiidagibgh OL ied 
safeguarding data 
__tld__ Analyze usage trends Session Segment 
optimizelyEndUserld For we experimentation and Session Optimizely 
personalization 
. Youtube - overview of privacy and 
VISITOR_INFO1_LIVE Used to embed videos 8 months a‘ 
safeguarding data 
YSC Used to embed videos Session jarani idehna as a 
safeguarding data 
AAO03 Conversion tracking 30 days de beiiiie : Ove eN nbr mathe 
safeguarding data 
ATN Conversion tracking 2 years Pacer : Cvettew Sh privaGy and 
safeguarding data 
fr Conversion tracking 3 months Paceponk . Cuernrere oh nhvaey aps 
safeguarding data 
To provide website usage analytics for 5 és 
ja_regex security, monitoring, and capacit lyear pencil = Hvel vis eS BIAS ane 
~ga_reg ame 9, paeny. ¥ safeguarding data 
review 
P Google - overview of privacy and 
_gac_gb_regex Ads targeting for Google 90 days sofecuarding uate 
_gat_gtag Ads targeting for Google and conversion deninuta Google - overview of privacy and 
tracking safeguarding data 
jat_UA-regex Analyze usage trends 2 years Gongs overvied Oh inaer eon 
~gat_ 9 ¥ 9 y safeguarding data 
= Bt : Google - overview of privacy and 
_gat_gtag_UA_-regex Analytics generated to distinguish users | 2 years safeguarding data 
gel Ads targeting for Google and conversion Smonths Google - overview of privacy and 
tracking safeguarding data 
‘sqelall Ads targeting for Google and conversion 90 days Google - overview of privacy and 
tracking safeguarding data 
GPS Analytics generated to distinguish users | 30 minutes moagle= poaeiieel ening ana 
safeguarding data 
: For web personalization and conversion F < 
_hp2_id.regex : 1day - 2 years Heap Privacy Policy 
tracking 
Ads targeting for Google and conversion Google - overview of privacy and 
IDE lyear A 
tracking safeguarding data 
: For web experimentation and ; 
iterableTemplateld ae iday Browser cookies set by Iterable 
personalization 
iterableMessageld For web personalization iday Browser cookies set by Iterable 
iterableEndUserld User Analytics iday Browser cookies set by Iterable 
iterableEmailCampaignid pentane bs unique ID associated with iday Browser cookies set by Iterable 
the email's campaign in Iterable. 
Tracks the current active (or last) : Liveperson - Cookies and conversational 
LPSID-regex ae A Session 2 
monitoring session. cloud overview 
Cookie is placed by Mixpanel. Mixpanel 
mp_regex is acompany that produces user lyear Mixpanel Developer Docs 
behavior analytics. 
NID Ads targeting for Google and conversion émnonths Google - overview of privacy and 
tracking ee SCE F A 
Contains information to help distinguish 
perf_dv5 Usersifrom the page: Gathers data abour iday AllReballing - Privacy Cookies a2 /34 


user visits, such as which pages are 
ralavant 
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rl_anonymous_id identify users from other sites that are lyear Reece een ae 
hosted under a sub-domain. 
Stores user with your application's 
rl_user_id unique identifier like email, database ID | 1year Rudderstack Javascript SDK 
etc and attaches to every event. 
rl_group_id Collects user activity on the web. lyear Rudderstack Javascript SDK 
Provides avisitor ID'as identified: in Liveperson - Cookies and conversational 
LPVID Conversational Cloud. Identifies a lyear P 3 
cot cloud overview 
browser as long as cookie is not deleted. 
https://www.rubydoc.info/gems/rack- 
rofilin Developer only, used by rack-mini- Session mini- 
--P profiler to bypass work. profiler/0.9.6/Rack/MiniProfiler/ClientS 
ettings 
Used to distinguish users and sessions. 
The cookie is created when the 
utnia javascript library executes and no 9 véars Google Analytics Cookie Usage on 
—_ existing __utma cookies exist. The ¥ Websites 
cookie is updated every time data is 
sent to Google Analytics. 
: Used to identify returning users during . F 
plaid_oauthnonce the Plaid oauth flow 2 years Plaid OAuth Guide 
gclid Used for attributing Google marketing 2 years jaad aces Ads Hacks website 
conversions 
fbelid Used for attributing Facebook 2 years Facebook for Developers - Marketing 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
_fbe . 2 years 
marketing API 
_fop Used for attributing Facebook 3 months Facebook for Developers - Marketing 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
wd 4 1week 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
dpr a 2 years 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
act ; lyear 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
c_user a 30 days 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
presence é lyear 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
sb : 2 years 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
xs 5 3 months 
marketing API 
2 Used for attributing Facebook Facebook for Developers - Marketing 
spin 5 2 years 
marketing API 
Used for attributing Facebook Facebook for Developers - Marketing 
datr : 2 years 
marketing API 
msclkid Ads targeting for Microsoft and 2 years Microsoft Campaign Management Data 
conversion tracking Objects 
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From: Coinbase Support [help@coinbase.com] 
Sent: 12/14/2021 9:22 PM 


0: 


Subject: [Reply] Case #09072112 - Call for US Coinbase Support from J at 202 1- 
12-14 20:46:23 -0800 


Hello Ryangggg, We’re working hard to quickly address this issue, and we'll reach out to you as 
soon as We have an update. In the meantime, please reply to this email if you have any 
additional questions. Thank you in advance for your patience and understanding. 


Regards, Coinbase Support ref:_00D6A2G0qc._5003sX9ba2:ref 


Date: 2021-12-15 18:25:16 UTC 
From_address: ue 
From_name: Ryan Dellone 

To_address: help@coinbase.com 


Message: Hello, Just following up on my account being hacked. I wanted to see if the fraud 
department has any recommendations for next steps? Is this something that I should be reporting 
to law enforcement or what is best way to handle this? Thank you, Ryan Dellone 


Sent from my iPhone 
> On Dec 14, 2021, at 9:22 PM, Coinbase Support <help@coinbase.com> wrote: 
> > Hello Ryan, 


> > We’re working hard to quickly address this issue, and we'll reach out to you as soon as we 
have an update. 


> >In the meantime, please reply to this email if you have any additional questions. 
> > Thank you in advance for your patience and understanding. 

> > Regards, > Coinbase Support > > ref:_O0OD6A2G0qc._5003sX9ba2:ref 

Date: 2021-12-17 06:21:31 UTC 

From_address: help@combase.com 


From_name: Coinbase Support 
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To_address: a 
Message: Hello Ryan, 


Thank you very much for the updated information. Our team has been able to successfully 
transfer the balance from your old account to your new one. You should be able to access these 
funds immediately. We appreciate your patience during this process. Please let us know if you 
have additional questions by replying to this email. 


Kind regards, Coinbase Support Ja ref: OOD6A2G0qc._ 5003sXAEIt:ref 


Date: 2021-12-17 22:03:09 UTC 
From_address: 
From_name: Ryan Dellone 

To_address: help@coinbase.com 


Message: Hello, I am only seeing a balance of $241. How much was the total transfer? Do I 
have a new account that I haven’t accessed yet? Ryan 


Sent from my iPhone 

>On Dec 16, 2021, at 10:21 PM, Coinbase Support <help@coinbase.com> wrote: 
> > Hello Ryan, 

> > Thank you very much for the updated information. 


> > Our team has been able to successfully transfer the balance from your old account to your 
new one. You should be able to access these funds immediately. 


> > We appreciate your patience during this process. Please let us know if you have additional 
questions by replying to this email. 


> > Kind regards, > Coinbase Support > > Ja> > ref: _OOD6A2G0qc._5003sXAEIt:ref 
Date: 2021-12-17 23:01:08 UTC 

From_address: help@coinbase.com 

From_name: Coinbase Support 


To_addres a 


Message: Hello Ryan, Your Coinbase account is currently restricted due to an owed balance 
caused by an unsuccessful payment for a transaction that was credited to your Coinbase Digital 
Wallet. 
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Per the terms of the User Agreement, you are responsible for the owed balance in your Coinbase 
account. On 2021-12-14 your bank reversed a charge of $1,025.00 for your attempted purchase 
on 2021-12-14 for BTC. The reference code for this transaction is LN9SRQLL. 


On 2021-12-14 your bank reversed a charge of $200.00 for your attempted purchase on 2021-12- 
14 for BTC. The reference code for this transaction is CBEXSQN6. 


Therefore, you currently have an owed balance of $1,225.00 which you will need to pay before 
you are eligible for a review of your purchasing ability. 


To view your owed balance and make a payment to resolve this balance, please visit: 
https://www.coinbase.com/payment_required 


You will be directed to a yellow banner that lets you know a transaction was reversed and a 
button to “Make Payment’. Selecting “Make Payment” will allow you to choose your payment 
method from a drop-down menu. 


If you would like to cash in digital currency from an external wallet to resolve the owed balance, 
you can find your crypto addresses here https://www.coinbase.com/addresses 


Due to restrictions placed by most card issuers, debit cards cannot be used to resolve a negative 
balance on a Coinbase account. For additional information regarding reversals, please contact 
your bank directly. Coinbase is not responsible for crediting your bank account for any fees 
incurred by your bank due to reversals. 


Thank you, Coinbase Support ref: OOD6A2G0qc._ 5003sXAEIt:ref 


Date: 2021-12-18 00:22:43 UTC 
From_address 
From_name: Ryan Dellone 

To_address: help@coinbase.com 


Message: Hello, There is an ongoing investigation by your fraud team. My account was hacked 
and the $1225 transaction was done fraudulently. There should be notes on my file describing the 
situation. You said there was money transferred to my account my account but I do not see this 
in my balance? Ryan Sent from my iPhone 


>On Dec 17, 2021, at 3:01 PM, Coinbase Support <help@coinbase.com> wrote: 
> > Hello Ryan, 


> > Your Coinbase account is currently restricted due to an owed balance caused by an 
unsuccessful payment for a transaction that was credited to your Coinbase Digital Wallet. Per the 
terms of the User Agreement, you are responsible for the owed balance in your Coinbase 
account. 
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> >On 2021-12-14 your bank reversed a charge of $1,025.00 for your attempted purchase on 
2021-12-14 for BTC. The reference code for this transaction is LN9SRQLL. 


> >On 2021-12-14 your bank reversed a charge of $200.00 for your attempted purchase on 
2021-12-14 for BTC. The reference code for this transaction is CREXSQN6. 


> > Therefore, you currently have an owed balance of $1,225.00 which you will need to pay 
before you are eligible for a review of your purchasing ability. To view your owed balance and 
make a payment to resolve this balance, please visit: 


https://www.coinbase.com/payment required 


> > You will be directed to a yellow banner that lets you know a transaction was reversed and a 
button to “Make Payment”. Selecting “Make Payment” will allow you to choose your payment 
method from a drop-down menu. 


> > If you would like to cash in digital currency from an external wallet to resolve the owed 
balance, you can find your crypto addresses here https://www.coinbase.com/addresses > > Due 
to restrictions placed by most card issuers, debit cards cannot be used to resolve a negative 
balance on a Coinbase account. 


> >For additional information regarding reversals, please contact your bank directly. Coinbase 
is not responsible for crediting your bank account for any fees incurred by your bank due to 
reversals. 


> > Thank you, > Coinbase Support > > ref: O0OD6A2G0qc._ 5003sXAElIt:ref 
Date: 2021-12-18 00:38:02 UTC 

From_address: help@coinbase.com 

From_name: Coinbase Support 

To_address 

Message: Hello Ryan, 


Thank you for contacting Coinbase Support regarding your recent account activity. Prior to a 
further review of your account, we request that you generate and review a transaction history 
report for your inquiry. To do so, please navigate to the following page: 
https://www.coinbase.com/reports 


1. Click the "Generate report" button 
2. Filter the report if applicable 
3. Select the file type that best suits your needs 


4. Click "Generate report" to download 
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If you still have questions regarding any transaction(s) in your account after reviewing the report, 
please locate the transaction(s) in question and provide the following information: 


- Reference Code (can be found in email receipt) - Amount (fiat value and crypto value) 
- Date of Order 
Please provide information regarding your specific inquiry in order for us to best assist you. 


Once we have this information we will review your account and provide you with further 
assistance. 


Thank you, Coinbase Support ref: OOD6A2G0qc._ 5003sXAEIt:ref 


Date: 2021-12-18 01:30:12 UTC 
From_address 
From_name: Ryan Dellone 

To_address: help@coinbase.com 


Message: I’m sorry why do I need to request a transaction history? I was told your fraud team is 
performing an investigation. Sent from my iPhone 


Date: 2021-12-18 05:48:48 UTC 
From_address: help@coinbase.com 
From_name: Coinbase Support 
To_address ay 
Message: Hi Ryan, 


Thanks for contacting us. It appears your account is restricted due to reversed transactions with 
your bank and an outstanding balance owed to Coinbase. 


We understand that your account may have been compromised and unauthorized activity 
occurred. Customers are responsible for the security of their devices and passwords, and for any 
activity that occurs when those devices or passwords are compromised. P 


lease read our security page for more information: 
https://support.coinbase.com/customer/en/portal/articles/1447997 


We recognize the difficult position this puts you in. However, we cannot reimburse or credit you 
for this outstanding balance owed to Coinbase because once digital currency is purchased or sent 
off the platform, we are unable to reverse these transactions. 
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Please note: For Coinbase to consider restoring the purchasing ability for your Coinbase account 
in the future, you will first need to first resolve the outstanding balance owed to Coinbase. 


Regards, Coinbase Support ref: OOD6A2G0qc._ 5003sXAEIt:ref 


Date: 2021-12-18 06:53:21 UTC 
From_address 
From_name: Ryan Dellone 

To_address: help@coinbase.com 


Message: I was told someone from the investigation team was going to reach out to me? When is 
this going to happen? Sent from my iPhone 


Date: 2021-12-18 10:56:23 UTC 
From_address: help@coinbase.com 
From_name: Coinbase Support 
To_address ay 
Message: Hello Ryan, 


Our decision remains final, and we're unable to make the requested changes to your Coinbase 
account. As a security measure, we can't elaborate on our internal decision process. Thank you 
for your understanding. 


Kind regards, Coinbase Support ref: OOD6A2G0qc._5003sXAEIt:ref 


Date: 2021-12-18 16:31:00 UTC 
From_address: 
From_name: Ryan Dellone 

To_address: help@coinbase.com 


Message: I’m not sure what requested changes you’re referring to? What changes have I 
requested? When I called to report the account had been hacked, I was told by your coinbase 
representative that another representative from the fraud team would be contacting me. Is this not 
true? Sent from my iPhone 
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Date: 2021-12-21 07:44:23 UTC 
From_address 
From_name: Ryan Dellone 

To_address: help@coinbase.com 
Message: Hello, 


My account was hacked and I was told someone from the fraud team would be reaching out to 
me regarding the status of the investigation. I have not received an update yet, can someone 
please give me a call? 


Thank you, Sent from my iPhone 


Date: 2021-12-21 09:26:38 UTC 

From_address: iy 

Subject: Hacked Account 

Message: Please have someone call me at J. Thank you 
Date: 2021-12-21 09:26:40 UTC 

From_address: help@coinbase.com 

From_name: Coinbase Support 

To_address ay 

Message: Hello, 


Thanks for submitting your request to Coinbase Support. We're here to help and will be in touch 
as soon as possible. In the meantime, you can find answers to many of your questions by visiting 
our Help Center . 


Regards, Coinbase Support 


ref: OOD6A2G0qc._5003sXB894:ref ©2021 Coinbase www.coinbase.com | Help Center | 
User Agreement and Privacy Policy 


Date: 2021-12-21 09:42:11 UTC 


From_address: help@coinbase.com 
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From_name: Coinbase Support 
To_address: a 
Message: Hi Ryan, 


We wanted to go ahead and acknowledge that we’ve received your inquiry. Also, because you've 
previously written to us about this same issue, we're going to merge your cases into a single 
email thread. We’re working hard to quickly address this issue, and we’ll reach back out as soon 
as we have an update. 


In the meantime, if you have any other questions about this issue please feel free to reply back to 
this email. 


Regards, Coinbase Support ref: OOD6A2G0qc._5003sX9ba2:ref 


Date: 2021-12-21 10:29:30 UTC 
From_address 

From_name: Ryan Dellone 

To_address: help@coinbase.com 

Message: Thank you so much! Ryan Sent from my iPhone 
Date: 2021-12-23 18:09:44 UTC 

From_address: help@coinbase.com 

From_name: Coinbase Support 

To_address ay 

Message: Hello Ryan, 


Thank you for your patience. To complete our security review, we need to verify your identity. 
Please upload a dated "ID Selfie" that shows your face and ID, both clearly visible, with you 
holding a piece of paper that reads "For Coinbase Verification" and has today's date. 


Please note: Your face, ID and the piece of paper need to be present in the same picture. Upload 
your ID Selfie through our secure SendSafely portal 
https://coinbase.sendsafely.com/dropzone/cx-files/09072 112 


Please use the same email address that you used for this support case. Also, we recommend using 
a desktop browser (Google Chrome works best) rather than a mobile browser. 


After we receive your ID Selfie, we'll review it and get back to you. Thank you for your 
patience. Kind 
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Regards, Coinbase Support 


Date: 2021-12-27 00:10:06 UTC 
From_address: help@coinbase.com 
From_name: Coinbase Support 
To_address 
Message: Hello, 


We need additional information from you before we can resolve this case. If you still require 
support with this inquiry, please reply to our original email with the needed information. 


If you are unable to locate our emails in your inbox, please check your spam and trash folders as 
some email providers automatically filter our automated messages as spam. 


If you no longer require support, please let us know and we'll close the case. We'll send a follow- 
up email every five days to check if you still need support with this inquiry. 


Thanks, Coinbase Support 


ref: OOD6A2G0qc._5003sX9ba2:ref ©2021 Coinbase www.coinbase.com | Help Center | User 
Agreement and Privacy Policy 


Date: 2021-12-27 04:16:19 UTC 
From_address 
From_name: Ryan Dellone 

To_address: help@coinbase.com 
Message: Hello, 

I have uploaded the ID selfie verification. 


Thank you, Ryan Sent from my iPhone 


Date: 2021-12-30 10:03:11 UTC 
From_address: help@coinbase.com 


From_name: Coinbase Support 
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To_address: aaa 
Message: Hello Ryan, 


Thanks for the additional information. We have put a hold on your account's ability to login for 
the time being until you are certain that your account is secure. No new outgoing transactions 
will be possible while the account is disabled, but pending transactions cannot be stopped due to 
the irrevocable nature of digital currency transactions. 


We have a few questions that will help us begin isolating the incident. Please note: that for 
security reasons, Coinbase phone support agents are not able to conduct security investigations. 


We must complete a security review by email before we will be able to unlock your account, so 
please answer these questions in writing to the best of your ability, even if you think you have 
resolved your concern: 


1) Was the device in your possession during the unauthorized activity? 


2) Have you been in touch with any customer service representative via phone or social media 
recently? If so, please provide us with the phone number or URL. 


3) Have you suffered any noticeable interruption in your phone service or been a victim of a 
phone port/sim swap? 


4) Have you received any unrequested email or SMS message from Coinbase that prompted you 
to click a link and enter your login credentials? If so, please send us a screenshot of that message 
so we can take a look. 


5) Do you use or have installed any remote desktop software recently? 


6) Have you recently installed any software or browser’s extension? If so, could you run a 
malware scan on your device and let us know the results? 


7) Can you provide any further information about how your credentials could have been 
compromised? As a security precaution, please immediately take steps to secure your email 
password and enable 2-step verification on your email if possible. 


Please also reset your Coinbase password, go to this link: 
https://www.coinbase.com/password _resets/new 


For additional information on setting a strong password go to this link: 
https://www.coinbase.com/password-faq We strive to investigate all security reports within 10 
business days. 


Some cases may require additional time for investigation due to the sensitive nature of 
irrevocable digital currencies. Thank you for your patience as we work to resolve the issue. 


Regards, Coinbase Support ref: OOD6A2G0qc._5003sX9ba2:ref 
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Date: 2022-01-05 02:47:51 UTC 

From_address: help@coinbase.com 

From_name: Coinbase Support 
To_address 

Message: Hello Ryan, 

Thanks for your patience while we investigated your case. 


Our records show that on 2021-12-14 3:30 PM PST, your Coinbase account password was 
accessed using a 2-step verification code sent to your verified mobile number using a Windows 
NT 10.0 device, from a VPN Protected IP address: 193.27.12.10. 


This device was also confirmed for use with your account via the new device confirmation link 
sent to your email address. 


As your 2FA method is set to SMS, we highly suggest you contact your service provider to 
ensure only you are in control of your number, as our investigation indicates your phone number 
may have been compromised. 


After your account was accessed, the following transactions occurred: 


*2021-12-14 3:43 PM PST pro_deposit -2.05698427 BTC was transferred to your Coinbase Pro 
account. *2021-12-14 4:06 PM PST Coinbase Pro Withdrawal of 2.05647401 BTC sent to 
external address bel qjp79ak6fxm4h7j0tsrwqx2n2k4tcqqveqxrvem, with 
crypto_transaction_hash: 

dbabalaad772b7e62995668f69ddf73d4d2003 1 f5fe15cd4d23a618e83 1clfel 


Please immediately take these security steps to secure access to your Coinbase account: 


1. Remove email forwarding—often these third parties use email forwarding to intercept future 
emails 


2. Create a new unique and complex email password 
3. Add 2-step verification to your email (highly recommended) 


4. Reset your Coinbase password at www.coinbase.com/password_resets/new after your email is 
secure 


5. Respond directly to this email for account recovery instructions once these steps are complete 


Once you have secured your Coinbase account with the steps above, please reply back to this 
email—your account will remain disabled until you do so. Please also report this potential theft 
to all law enforcement agencies in your area. 


Coinbase is committed to full cooperation in all law enforcement investigations. 
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Please note, Coinbase is unable to reverse digital currency transactions. Lastly, an Account 
Statement for 12/01/2021 to 01/05/2022 has been included in this email, but due to the sensitive 
nature of these documents, it can only be viewed using our secure portal, Send Safely, through 
this link: https://coinbase.sendsafely.com/receive/?thread=0TZA- 
2BYJ&packageCode=x7Rjyg212m0rQ0ZdjK BdPmboby4djqOM9IInsd Y 4Eyk#keyCode=bXEPG 
yKh6vLaZ3NsV3eA7bc3 ATY SY ZY HoPRaq_tJEhE 


Please use the same email address that you used for this support case. Also, we recommend using 
a desktop browser (Google Chrome works best) rather than a mobile browser. 


If you have any additional information on how your credentials were compromised by the 
unknown third party, please let us know. T 


hanks, Coinbase Support ref: OOD6A2G0qc._5003sX9ba2:ref 
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Date: 2021-12-15 06:01:07 UTC 
From_address: help@coinbase.com 
From_name: Coinbase Support 


To_address: 


Message: Hi Ryan ggg, Thanks for letting us know that you replaced your device. We’ve 
restored access to your account as you requested. 


To reset your 2-step verification method and disable your authenticator app, please follow the 
steps below: 


1. From a computer, use your email and password to sign in at https:/Awww.coinbase.com/signin 
2. When prompted for your 2-step verification code, select "I need help.” 
3. Select "I can't access my authenticator app anymore." 


4. Follow the instructions to complete Account Recovery. Note: If you do not receive a 2-step 
verification prompt after signing in, try clearing your browser cache or following the above steps 
in your browser's private mode. 


‘This process must be completed through the website and cannot be completed using the mobile 


app. For security reasons, you’!l be asked to provide a photo of the front and back of your ID and 
a photo of yourself taken at the time of the prompt. 


you should be able to 
sign in to your account via SMS codes and complete buys and sells. 


If you do not receive your SMS codes, or have any issues, please reach out to us. To protect your 
account from any unauthorized activity while you’re completing the account recovery process, 
we’ve blocked all outgoing transactions. 


IMPORTANT: After you’ve recovered your account, please let us know by replying to this 
email, so we can remove the lock on it. Otherwise you won’t be able to trade or complete any 
transactions after regaining access. 


Please note: that for your security, we are not able to completely remove 2-step verification. 
Regards, Coinbase Support 
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CCPA Letter to Coinbase 


By U.S. Mail: 

Coinbase, Inc. (CA Entity Nos. C4315976; C3548456) 
c/o C T Corporation System 

818 West Seventh St., Ste. 930 

Los Angeles, California 90017 


Coinbase Inc. (Legal Team) 

c/o CSC 

2710 Gateway Oaks Drive, Suite 150N 
Sacramento, CA 95833-3505 


Coinbase Custody Trust Company, LLC 
c/o C T Corporation System 

28 Liberty Street 

New York, New York 10005 


Via Email: legal@coinbase.com ; eric. wasik(@coinbase.com ; dpo@coinbase.com ; 
help@coinbase.com ; support/@coinbase.com 
Attachments: 4, B 


Attn: Coinbase Legal (Erik Wasik, Senior Counsel, Customer Disputes) 


Re: Notice of Violations of California Consumer Privacy Act (§§ 1798.100 ef seq.); 
California Consumer Legal Remedies Act (§§ 1770, e/ seq.); California’s Shine the Light Law 
(§§ 1798.83 et seq.); and California Penal Code § 496 (buying/receiving stolen property) 


Coinbase: 


My office represents Ryan Dellone (“my client”), a California resident who has been a Coinbase 
customer since October 2013, in connection with the losses and harms he sustained as a result of 
cybersecurity breaches and/or unauthorized account access, which occurred in late 2021 and 
resulted in the theft of my client’s cryptocurrencies as well as substantial interferences with my 
client’s private, sensitive, confidential, personal, and financial information, data, and other assets 
hosted by Coinbase, on the Coinbase Platform. 


At least three support tickets were opened by Coinbase related to this matter: Case # 09072112: 
Case # 09169654; and Case # 09112576. 
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BACKGROUND 


As of writing, my client still has not obtained complete and accurate customer account information 
from Coinbase in response to his request. Mr. Dellone is also still unable to log in to his Coinbase 
account; and for more than a year, Mr. Dellone has endured the wrongful deprivation of more than 
2.06 bitcoins, despite Mr. Dellone: (i) timely reporting the fraudulent activity to Coinbase; (ii) 
sufficiently proving his identity to Coinbase upon Coinbase’s request; and (iii) complying with the 
Dispute Resolution Process set out in Coinbase’s (unconscionable and unenforceable) User 
Agreement. 


Prior to December 2021, Coinbase exposed many of its customers’ credentials, including Mr. 
Dellone’s email address, to unauthorized third-parties. Not only did Coinbase leak its customers’ 
email addresses to unauthorized third-parties, Coinbase allowed its customers’ email addresses to 
be exploited by hackers who Coinbase knew, or should have known, were seeking to verify 
Coinbase customer phone numbers as part of concerted efforts to interfere with cellular phone 
subscription services used by Coinbase and its customers to “secure” assets in Coinbase’s custody. 


In the years leading up to the theft, Coinbase knew that bad actors were successfully leveraging 
leaked Coinbase credentials to identify, confirm, and unlawfully seize cellular services tied to 
Coinbase accounts. Coinbase also knew that its own “developer tools” and various vulnerabilities 
on Coinbase’s webpages and in its operational security, gave the general public, including 
scammers and black-hat hackers, the ability to gain unauthorized access to consumer financial 
accounts hosted by Coinbase (on the Coinbase Platform). 


Since at least 2017, Coinbase has known that unauthorized SIM Swaps pose uniquely severe risks 
to Coinbase customers in particular. Between 2018 and 2022, Coinbase observed a dramatic 
increase in the number of electronic financial transactions on the Coinbase Platform accomplished 
by unauthorized SIM Swaps—this rise in phone-based fraud was well documented by Coinbase 
users and the media.! 


Before December 2021, Coinbase could have addressed multiple critical vulnerabilities on its 
Platform by simply complying with widely-known, industry-standard good practices. For instance, 
instead of programming its webpage response forms to leak customer-account-specific email 
addresses to unauthorized third-parties (e.g., responding to a sign-up request with, “An account 
with that email already exists”), Coinbase could have easily reprogrammed its automated response 


' See, e.g., CoinTelegraph, Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped?, 
(published June 18, 2019); KrebsOnSecurity, How Coinbase Phishers Steal One-Time Passwords (“the phishing 
group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email 
addresses of more than 2.5 million Italians.”); ZDNet, Coinbase sends out breach notification letters after 6,000 
accounts had cryptocurrency stolen (published Oct. 1, 2021). 
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forms according to common sense (e.g., “Please check your email for further instructions,” or “We 
sent an email to that address”). 


No significant barriers could have reasonably prevented Coinbase from fixing its webpage 
response forms prior to December 2021. 


Nevertheless, virtually anyone capable of making a prank phone call could, in combination with 
an unauthorized “SIM Swap” attack, use credentials leaked by Coinbase to take complete control, 
or wipe, or launder ill-gotten gains through, efc. hundreds if not hundreds of thousands of Coinbase 
customer accounts, 


When I began assisting Mr. Dellone in January 2022, I requested (on multiple occasions) that 
Coinbase provide my office with Mr. Dellone’s Coinbase account transaction reports, account 
history, and other relevant data that I believe is necessary for my office/Mr. Dellone to conduct a 
thorough investigation into the unauthorized access of his account, the breaches of the Coinbase 
Platform affecting my client’s data, and the theft and current whereabouts of Mr. Dellone’s assets, 
and to advise my client accordingly. 


On January 3, 2022, I requested the following information from Coinbase (see Attachment A): 


e The full transaction history for Mr. Dellone’s account, from November 1, 2021 to the 
present, showing each and every buy and sell transaction, including the entire wallet 
addresses (both the sender and recipient addresses) and blockchain transaction IDs for 
every blockchain transaction involving his account assets; 

¢ The Log-in history / Access (or Activity) Log for Mr. Dellone’s account, showing the dates, 
times, IP addresses, geolocation data, session length, and browser types for all activity 
during the period of time from November 1, 2021 to the present; and 

e A\ll other data included in the statement of account for Mr. Dellone’s Coinbase account. 


Senior Counsel for Coinbase, Erik Wasik, responded to my request, initially by providing my 
office with an essentially useless “account statement” purporting to show transactions involving 
only Mr. Dellone’s Coinbase Pro Account. 


Mr. Wasik told me, via email, that Coinbase is only providing me and my client information “as a 
courtesy”—but California law requires Coinbase to provide the requested information. 


Mr. Wasik also informed me that Coinbase would not consider restoring access to my client’s 
Coinbase account “until he satisfies his negative balance with [Coinbase]”—the CCPA prohibits 
Coinbase from denying Mr. Dellone services, or providing Mr. Dellone a different level or quality 
services, in response to him exercising his rights under the CCPA. 
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On January 4, 2022, I reminded Mr. Wasik that “Mr. Dellone is a California resident; accordingly, 
he’s afforded applicable statutory rights pursuant to, inter alia, the California Consumer Privacy 
Act (‘CCPA’).” See Attachment A. | also specifically requested, on behalf of Mr. Dellone, that 
Coinbase provide: 


e Information regarding Mr. Dellone’s interaction with Coinbase’s products and/or services 
(including but not limited to the Coinbase website(s), application(s), and advertisements); 

e Inferences drawn by Coinbase from any of the information identified in the CCPA to create 
a profile about Mr. Dellone reflecting his preferences, characteristics, psychological trends, 
preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes (for 
example, the days and times when Mr. Dellone tends to access his Coinbase account); and 

e The categories of sources from which Coinbase collected Mr. Dellone’s Personal 
Information, including but not limited to: 

Unique personal identifier(s) 

Online identifier(s); 

IP address(es); 

Email address(es); 

Geolocation data; 

Records of personal property; 

Products or services purchased, obtained or considered, or other purchasing or 

consuming histories or tendencies; 

© Browsing history; 

o Search history; and 

o Log-in history. 


00000«C00UL6O 


On January 25, 2022, Coinbase provided its response in the form of a .TXT file. 


My office subsequently determined that the information Coinbase provided is incomplete and/or 
inaccurate. For that reason, among others, Coinbase’s responses to Mr. Dellone’s requests are 
insufficient to satisfy Coinbase’s requirements under the CCPA. 


I. CCPA Violations (See Attachment B) 


In violation of the CCPA, Coinbase has: (a) assisted criminal hackers involved in breaching the 
Coinbase Platform, or in their continuing efforts to exploit Mr. Dellone’s assets and remain 
unknown to Mr. Dellone; (b) withheld information Coinbase has collected from and about my 
client’s Coinbase account, including relevant records related to the scope of Mr. Dellone’s 
sensitive and personal information affected by breaches of the Coinbase Platform; and (c) 
subjected Mr. Dellone’s data to unauthorized access, exfiltration, thefi, and disclosure that 
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Coinbase caused when it violated its duties to implement and maintain reasonable security 
procedures and practices appropriate to the nature and sensitivity of my client’s data. 


A. Right to Non-Discrimination 


Under the CCPA, businesses are not permitted to deny a customer goods or services, charge a 
customer a different price, or provide a different level or quality of goods or services to a customer, 
merely because a customer has exercised his or her rights under the CCPA. Coinbase has violated 
the CCPA by denying Mr. Dellone access to his Coinbase account for over a year (and counting), 
and by providing insufficient replies and incomplete or doctored information in response to Mr. 
Dellone’s previous information requests regarding the breach of his consumer financial accounts 
and Coinbase’s unauthorized leaks of his personal data. 


B. Personal Information Security Breaches 


According to my investigation, Coinbase’s webpage vulnerabilities allowed hackers to identify 
and confirm Mr. Dellone’s Coinbase-associated email address and phone number; and based on 
that information, the hackers were able to exploit automated software programs and Coinbase’s 
own “developer tools” in their attempts to brute force Mr. Dellone’s Coinbase account password 
and/or engage in credential stuffing for the same purpose, prior to attempting to “SIM Swap” Mr. 
Dellone. 


The hackers may have also been able to use Coinbase’s developer tools to verify Mr. Dellone’s 
Coinbase account data and check the balance of digital assets stored in Mr. Dellone’s Coinbase 
account, prior to, or as a part of, their concerted efforts to steal his property. 


Under the CCPA, any consumer—whose nonencrypted and nonredacted personal information; or 
whose email address in combination with a password or security question and answer that would 
permit access to the account—is subject to an unauthorized access and exfiltration, theft, or 
disclosure by a business, as a result of the business’s violation of its duty to implement and 
maintain reasonable security procedures and practices appropriate to protect the information, based 
on the nature of the information. Aggrieved consumers are entitled to recover: 


e Actual damages; 
e Injunctive or declaratory relief; and 
e Any other relief the court deems proper. 


On December 14, 2021, and on previous and subsequent occasions, Coinbase improperly disclosed 
Mr. Dellone’s first and last name, email address, and one or more Coinbase security answers (e.g., 
phone number used with 2FA), and subjected to unauthorized access, exfiltration, theft, or 
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disclosure at least one of the following nonencrypted and nonredacted items of Mr. Dellone’s 
personal information—his: 


e Social security number; 

e Driver’s license number; 

e Tax identification number; 

e Financial account number; 

e Bank card number combined with Coinbase access code and/or password that allowed 
hackers access funds in Mr. Dellone’s bank account: 

e Unique biometric data used to identify Mr. Dellone’s identity; and/or 


e Unique biometrics data stored for facial and/or voice and/or online behavioral recognition 
purposes. 


C. Prop 24 Rights 


As of January 1, 2023, businesses, including Coinbase, are responsible for taking additional steps 
to protect Coinbase customers’ private information, including: 


e Ceasing to share information upon the consumer’s request; 
e Correcting any inaccurate personal information upon a consumer’s request; and 
e Taking reasonable security measures to protect personal information. 


Coinbase has intentionally and unlawfully ceased sharing information with Mr. Dellone, 
apparently as a result of his requests for Coinbase’s disclosure of information. Because Coinbase 
has ceased sharing information with my client, Mr. Dellone remains unable to determine the 
accuracy of the personal information Coinbase is sharing about him. 


Coinbase also has not provided Mr. Dellone with complete or accurate statements of the personal 
information that Coinbase has collected on my client. Coinbase’s failure to provide this 
information adversely impacts my client’s right to correct inaccurate personal information that 
Coinbase has about him; and to limit Coinbase’s use and disclosure of sensitive personal 
information that Coinbase has collected about him. 


Because Coinbase has prevented Mr. Dellone from accessing his Coinbase account for over a year, 
my client has been unable to determine the accuracy of the personal information Coinbase has 
collected about him. 


Additionally, at least during the period of time between December 2021 and February 2021, 
Coinbase failed to satisfy its obligations to implement reasonable security measures designed to 
protect the sensitive personal information Coinbase collected about Mr. Dellone. 
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D. Harms Sustained As A Result of Breach 


Mr. Dellone has suffered injuries stemming from Coinbase’s loss and unauthorized exposure of 
his valuable, personal, private, and sensitive digital data, including: 


(1) Continued risks to Mr. Dellone’s PII, to the extent it is still in Coinbase’s possession and 
subject to further unauthorized disclosures, for as long Coinbase fails to take appropriate 
measures to protect my client’s PII; 

(2) Lost or diminished value of his cyber-identification data—for instance, whereas legitimate 
buyers of user data compensate users with contracted-for services in exchange for personal 
information, now, as a result of Coinbase’s disclosures to unauthorized third-parties, 
hackers can now obtain this data for free; 

(3) Out-of-pocket expenses associated with the prevention, detection, and recovery from 
identity theft, tax fraud, and unauthorized use of Mr. Dellone’s Personally Identifiable 
Information (“PIT”): 

(4) Lost opportunity costs associated with efforts expended and Mr. Dellone’s loss of 
productivity by attempting to mitigate the consequences of the Coinbase’s actions and 
omissions, including but not limited to Mr. Dellone’s lost time at an estimated average loss 
of $125 per hour in lost labor hours, which he has spent or must spend restoring the ability 
to log into and completely recover his Coinbase account; dealing with impersonation 
activities, including phishing emails; reviewing his credit reports; scrutinizing his financial 
information; mitigating his potential losses; detecting identity theft; and changing his 
passwords; and 

(5) Future costs in terms of loss of time, effort, and money that will be expended to monitor, 
prevent, detect, contest, and repair the impact of the cyber-identification data compromised 
as a result of Coinbase’s actions and omissions, for the remainder of Mr. Dellone’s life. 


E. Requested Remedies For CCPA Violations 
Mr. Dellone hereby demands that Coinbase: 


(1) Immediately provide Mr. Dellone access to his Coinbase account; 


(2) Compensate Mr. Dellone for the actual costs he incurred as a result of the conversion 
of his property; 


(3) Immediately cease sharing and selling Mr. Dellone’s information; and 
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(4) To the extent Coinbase has not already taken reasonable security measures necessary 
to protect Mr. Dellone’s personal information, immediately take such appropriate 
measures. 


II. CLRA Violations 


A. Sections 1770(a)(5), (7), and (9) 


Among other statements made by Coinbase to its customers regarding its purported use of 
customer data collected from and about its customers, Coinbase specifically made the following 
representations in violation of section1770(a)(5): (a) Coinbase claimed it used Cookies “to 
recognize” its customers and “to collect information about your [the Coinbase customer’s] 
computer or other access device to mitigate risk, help prevent fraud, and promote trust and safety”; 
(b) Coinbase stated that it engages in the “monitoring of IP addresses” as part of what it believes 
is a “reasonable risk-based program” aimed at complying with Anti-Money Laundering and Know 
Your Customer regulations. When Coinbase made these statements, Coinbase knew it was 
collecting IP addresses, device IDs, PII, and installing Cookies, Flash Cookies, and Web Beacons 
on Mr. Dellone’s devices, and collecting the information therefrom, primarily for purposes not 
related to security. 


Among other statements, Coinbase also made the following representations, in violation of 
section1770(a)(7), which indicated that Coinbase’s cybersecurity was of a particular quality, which 
it was not: (¢) Coinbase claimed that no customer assets had ever been lost due to breach of the 
Coinbase Platform (e.g., Coinbase Global Inc., SEC Form S-1, “What Sets Us Apart”); and (d) 
Coinbase represented that Coinbase customers must use a “branded” cellular telecommunications 
providers’ services to access Coinbase’s services and products via mobile device, and that 
Coinbase users are prevented from utilizing Voice-Over-Internet-Protocol (or “VOIP”) numbers 
with their Coinbase accounts”. 


In violation of section 1770(a)(9), Coinbase advertised, without the intent to sell, its services as 
including a means by which Coinbase customers can: (e) limit their liability for stolen 
cryptocurrencies by timely reporting unauthorized transactions to Coinbase; and (f) reasonably 
resolve their disputes, specifically disputes concerning fraudulent transactions, with Coinbase. 


* See, e.g., User Agreement (“Further, you [the customer] authorize your wireless operator (AT&T, Sprint, T- 
Mobile, US Cellular, Verizon, or any other branded wireless operator) to use your mobile number, name, address, 
email, network status, customer type, customer role, billing type, mobile device identifiers (IMSI and IMEI) and 
other subscriber status details, if available, solely to allow verification of your identity and to compare information 
you have provided to Coinbase with your wireless operator account profile information for the duration of the 
business relationship. See our Privacy Policy for how we [Coinbase] treat your data.””) (emphasis added). 
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Additionally, in violation of section 1770(a), Coinbase represented that: (g) its custodial services 
included reasonable customer support services, including live agents who respond to customer 
phone calls, when Coinbase’s custodial services did not, in fact, include such characteristics or 
benefits during the period of time between December 2021 and February 2022; and (h) US Dollars, 
which are legal tender, are essentially the same as USD Coins, which not legal tender—USD and 
USDC are not interchangeable assets. See Stamp Payments Act of 1862 (18 U.S.C. § 336). 


B. Requested Remedies for CLRA Violations 
Mr. Dellone demands that Coinbase: 


(1) Individually and through its agents, servants, employees, and all persons acting 
under, in concert with, or for Coinbase, immediately cease collecting customer cyber- 
identification data that Coinbase does not reasonably use to help Coinbase detect 
fraud involving Coinbase customer accounts hosted on the Coinbase Platform. 


(2) Immediately cease its circulation of either or both USD and USDC on its Platform, as 
continuing to do so constitutes a deceptive act or practice undertaken by Coinbase in 
its transactions with Coinbase customers that Coinbase intended to result and, which 
has in fact resulted in the sale or lease of goods (digital assets) or services (custodial 
services) to consumers. 


(3) Take steps to purge VOIP numbers from, and prevent VOIP numbers from being 
used on its Platform. 


(4) Provide written and/or other sufficient adequate assurances that it will immediately 
take steps to remove all public representations, and no longer make any future public 
statements, indicating that “no customer assets has ever been lost due to breach of the 
Coinbase Platform.” 


Ill. Shine The Light Law Violations 


As Coinbase knows, Mr. Dellone’s personal information has monetary value and can be sold for a 
profit or exchanged for services. 


Mr. Dellone requested his account data from Coinbase in January 2022, February 2022, and April 
2023, and on each occasion Coinbase failed to provide him with complete, accurate, and timely 
information disclosures. 


Coinbase failed to comply with Cal. Civ. Code § 1798.83(b)(1) when it prevented Mr. Dellone 
from accessing his Coinbase account, diluting the value of Mr. Dellone’s personal information by 


EXHIBIT C 


Case 1:23-cv-01408-ADA-HBK DodQtelt1-4 Filed 09/26/23 Page 10 of 11 
THE LAW OFFICE OF ETHAN MORA 
1140 E. Herndon Ave., Suite 103 
Fresno, CA 93720 


Thursday, April 20, 2023 
CCPA Letter to Coinbase 


foiling his efforts to correct misinformation, and (or because) Coinbase has deprived him of the 
opportunity to sell his personal information for financial gain. Accordingly, Mr. Dellone has not 
received the full value of the services for which he paid Coinbase. 


Coinbase’s failure to comply with Cal. Civ. Code § 1798.83(b)(1) has prevented Mr. Dellone from 
mitigating his ongoing injuries caused by the breach(es) of his financial accounts hosted by 
Coinbase on the Coinbase Platform. 


Coinbase’s failure to provide Mr. Dellone with the proper section 1798.83(b)(1) disclosures has 
deprived Mr. Dellone of value and caused him economic harm. Mr. Dellone has sustained, and 
continues to sustain, monetary injuries as a direct and proximate cause of Coinbase’s violations of 
section 1798.83(b). 


IV. Criminal Code Violations 


California Penal Code § 496(a) prohibits any person from buying or receiving “any property that 
has been stolen or that has been obtained in any manner constituting theft or extortion, knowing 
the property to be so stolen or obtained, or who conceals, sells, withholds, or aids in concealing, 
selling, or withholding any property from the owner, knowing the property to be so stolen or 
obtained.” 


Coinbase violated California Penal Code § 496 by obtaining, concealing, selling, and/or 
withholding personal property (Crypto-Assets and digital U.S. dollars) stolen from Mr. Dellone, 
and by aiding in such criminal conduct, knowing that said property was stolen. 


Mr. Dellone’s demands the return of his stolen assets, or a writing by Coinbase disclaiming all 
rights and title to: 


e The 2.05698427 bitcoins currently located at Bitcoin Public Key Address, 
belgjp79ak6fxm4h 7j0tsrwqx2n2k4tcqqvegxrvgm; 


e The Security Token rewards (and/or tokens) or “gains” from Mr. Dellone’s 
staked/baked/invested tokens earned through his Coinbase account, which are 
currently in Coinbase’s possession; 


e Any fungible substitute property that could serve in lieu of each unique asset 
converted by Coinbase on and after December 14, 2021. 


Under California Penal Code § 496(c), Mr. Dellone is entitled to over $300,000—three times the 
amount of his actual damages, which exceed $101,763.00. 
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CONCLUSION 


Coinbase has caused Mr. Dellone damages in an amount exceeding 2.06 bitcoins plus $300,000, 
exclusive of costs and fees. 


Should Coinbase wish to discuss my client’s rights and his imminent claims against Coinbase 
(including but not limited to prospective causes of action based on Coinbase’s failure to remedy 
the issues specifically outlined in this Letter), my contact information is below: 


Email: EthanMoraLaw(@pm.me 
Phone: (559) 370-1485 


Thank you, 


The Law Office of Ethan Mora 
Ethan E. Mora, Esq. 
Attorney for Mr. Ryan Deilone 
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